What is best practise to correlation between brute forces and succcessful login in future

uudecode · October 1, 2018, 3:08pm

Hi!
Will you be so kind, to advice a good using of grayLog in this case:
1.Some bad dude brute forcing account uudecode (we log it, even aggregated)
2.This villain successfully get password and login into system.
3. We make alarm about this case.

I see two options:

For every successful login we inspect past in log for brute force attempts and raise alarm.
on every aggregated brute force wait a one minute for success login and raise alarm.

What could I do? What scenario is possible?

Thank you!

jan · October 2, 2018, 2:22pm

with the upcoming 3.0 this will be possible, currently, this will be hard to explain how you can do this.

system · October 16, 2018, 2:22pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Combine results from same IP Graylog Central (peer support)	2	401	October 26, 2018
Total Graylog Newbie. Some stupid questions if you have the time to help? Graylog Central (peer support)	2	172	June 7, 2023
Use cases and best practices Graylog Central (peer support)	2	3972	August 24, 2017
Implementing Graylog from Security point of view Graylog Central (peer support)	20	1679	January 4, 2022
Graylog Web GUI successful login log Graylog Central (peer support)	2	104	February 12, 2024

What is best practise to correlation between brute forces and succcessful login in future

Related Topics