I have just started to use Graylog to alert on one of my client’s networks.
I have set up various basic alerts for things like failed logon attempts.
Currently my emails are being severely spammed. How can I fine-tune the alert to only display potentially malicious logon attempts instead of the false positives.
as long as you can’t indicate that the alerting is malicious via a special field or the content of one field this is not possible.
The alerting does not have any abilities like that, you would need to decide on ingest if this is potential malicisous or false positive and then make use of that knowledge in the processing pipelines to create a field that the alert can act on.
You could use the Aggregates plugin in order to create alert conditions for failed login attempts.
With this plugin, you could create an alert condition that will send an alert when you receiving a specific number of messages about failed login attempts in a specific time range.
E.g. If you receive 10 or more failed login attempts within a minute, send an alert.