Stream how do correlation betwen 2 rules


#1

I want to make an alert for 5 failed login attempt in 5 minutes!
I want to make a corelation between IDevent and the name of the workstation.
How i do the corelation ?


(Philipp Ruland) #2

Heyo @Corentin,

the 5 failed login attempts can be easily made an alert by using the message count alert (given that every system has its own stream)

If you have the name of the workstation in the same or another stream, have a look at this plugin:

Else, you could use the Graylog feature Lookup Tables:
http://docs.graylog.org/en/2.4/pages/lookuptables.html

If you want to get more help, you should elaborate a little more (e.g. where you get the name of the workstation from, how the IDevent can be linked to the name etc. :slight_smile:)

Greetings,
Philipp


#3

ok thank, i will so see that !
i want do the corelation between EventID and TargetUserName not the workstation my bad !
I go applicate this rule on my ad


#4

I have one more question, how to recognize a domain admin login


(Philipp Ruland) #5

Are these fields in the same message or how do you want to correlate them (how are they connected to each other)?

You mean a admin account in your Windows domain?


#6

yeah on the same message i explain you by a simple exmple if i filter juste by EventID:
User1: try to connect 3 time
User2: try to connect 3 time
I will receive an alert, if I leave as I did

exemple 2 with the corelation between EventID and TargetUserName
User1: try to connect 3 time
User2: try to connect 3 time
i will not receive an alert but if
user1: try to connect 5 time
I will receive an alert

for the account admin domain, I look for if there was a peculiarity to recognize them from the logs. or i just need to do one alert for evry account admin domain and one for creating admin account domain


(Philipp Ruland) #7

As far as I know, there is currently now official / easy way to have this. The closest one would be a message count alert, but that would obviously be your first case.

What I could think of is using this plugin:


It has the functionality you want, but not as a normal Graylog alert.

Ok, so you want to see if any of your admin accounts shows up inside the logs?


#8

Thank you dude !

Yes,I need to see all accounts apartenent domain admin group and see their connection. Yes on the log of my ad it’s possible ?

After i have one other question :roll_eyes: sorry

How to send the logs of an input to a specific index? What are the rules declare in the stream ?

Thank for your time


(system) #9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.