What is best practise to correlation between brute forces and succcessful login in future

Will you be so kind, to advice a good using of grayLog in this case:
1.Some bad dude brute forcing account uudecode (we log it, even aggregated)
2.This villain successfully get password and login into system.
3. We make alarm about this case.

I see two options:

  1. For every successful login we inspect past in log for brute force attempts and raise alarm.
  2. on every aggregated brute force wait a one minute for success login and raise alarm.

What could I do? What scenario is possible?

Thank you!

with the upcoming 3.0 this will be possible, currently, this will be hard to explain how you can do this.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.