Stream how do correlation betwen 2 rules

Corentin · June 15, 2018, 9:32am

I want to make an alert for 5 failed login attempt in 5 minutes!
I want to make a corelation between IDevent and the name of the workstation.
How i do the corelation ?

derPhlipsi · June 15, 2018, 10:50am

Heyo @Corentin,

the 5 failed login attempts can be easily made an alert by using the message count alert (given that every system has its own stream)

If you have the name of the workstation in the same or another stream, have a look at this plugin:

Else, you could use the Graylog feature Lookup Tables:
http://docs.graylog.org/en/2.4/pages/lookuptables.html

If you want to get more help, you should elaborate a little more (e.g. where you get the name of the workstation from, how the IDevent can be linked to the name etc. )

Greetings,
Philipp

Corentin · June 15, 2018, 11:07am

ok thank, i will so see that !
i want do the corelation between EventID and TargetUserName not the workstation my bad !
I go applicate this rule on my ad

Corentin · June 15, 2018, 11:14am

I have one more question, how to recognize a domain admin login

derPhlipsi · June 15, 2018, 1:04pm

Are these fields in the same message or how do you want to correlate them (how are they connected to each other)?

You mean a admin account in your Windows domain?

Corentin · June 15, 2018, 1:21pm

yeah on the same message i explain you by a simple exmple if i filter juste by EventID:
User1: try to connect 3 time
User2: try to connect 3 time
I will receive an alert, if I leave as I did

exemple 2 with the corelation between EventID and TargetUserName
User1: try to connect 3 time
User2: try to connect 3 time
i will not receive an alert but if
user1: try to connect 5 time
I will receive an alert

for the account admin domain, I look for if there was a peculiarity to recognize them from the logs. or i just need to do one alert for evry account admin domain and one for creating admin account domain

derPhlipsi · June 15, 2018, 3:09pm

As far as I know, there is currently now official / easy way to have this. The closest one would be a message count alert, but that would obviously be your first case.

What I could think of is using this plugin:

It has the functionality you want, but not as a normal Graylog alert.

Ok, so you want to see if any of your admin accounts shows up inside the logs?

Corentin · June 15, 2018, 3:30pm

Thank you dude !

Yes,I need to see all accounts apartenent domain admin group and see their connection. Yes on the log of my ad it’s possible ?

After i have one other question sorry

How to send the logs of an input to a specific index? What are the rules declare in the stream ?

Thank for your time

system · June 29, 2018, 3:31pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
AD failed log on stream Graylog Central (peer support)	5	2312	January 3, 2018
Active Directory Logon / Logoff events Graylog Central (peer support) pipeline-rules	4	1787	August 16, 2020
Alert eventid and ip source.How to have corelation Graylog Central (peer support)	4	384	July 5, 2018
Pipeline alert aggregated Graylog Central (peer support)	3	344	May 28, 2020
Fields of the correlated events in the alert notification Graylog Central (peer support)	10	2713	June 11, 2021

Stream how do correlation betwen 2 rules

Related Topics