Failed Logon Alert Configuration Assistance
Posted: Mon Dec 16, 2019 12:35 pm
Good morning,
I'm attempting to setup an alert that triggers whenever any account has failed a logon attempt more than 10 times in a 10 minute period. I understand that I can do this with either a custom JSON query or it looks like I can do it by setting up a Real-Time alert?
I found some helpful information in other support threads: https://support.nagios.com/forum/viewto ... s&start=10
But, I'm not super familiar with JSON and the alert isn't behaving like I expect it to, here's my example:
With the above query I think I'm saying, during x time period look for event ID 4625 or 4771 or 4776 where any TargetUserName occurs more than 10 times and does not equal Altiris and does not have S-1-0-0 in the message field.
It's reporting that I have 17746 matching entries, so I either my environment is on the brink of collapse or I'm doing something wrong. My guess is the latter... Would I be better off with the custom query or should I use the Real-Time alert function?
The other thing I want to have happen is, in the email that's generated, I want it to provide a list of the unique TargetUserNames. I can do this with other alerts by using a line like this: <li>%uniquehosts%</li> but I don't know the comparable variable to get a list of users rather than hosts.
Can you folks help me out?
I'm attempting to setup an alert that triggers whenever any account has failed a logon attempt more than 10 times in a 10 minute period. I understand that I can do this with either a custom JSON query or it looks like I can do it by setting up a Real-Time alert?
I found some helpful information in other support threads: https://support.nagios.com/forum/viewto ... s&start=10
But, I'm not super familiar with JSON and the alert isn't behaving like I expect it to, here's my example:
Code: Select all
{
"query": {
"filtered": {
"query": {
"bool": {
"should": [
{
"query_string": {
"query": "*"
}
}
]
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"from": 1576514353823,
"to": 1576515253823
}
}
},
{
"fquery": {
"query": {
"query_string": {
"query": "_type:(\"eventlog\")"
}
},
"_cache": true
}
},
{
"fquery": {
"query": {
"query_string": {
"query": "EventID:(\"4625\" \"4771\" \"4776\")"
}
},
"_cache": true
}
},
{
"fquery": {
"query": {
"query_string": {
"query": "TargetUserName:((count >10))"
}
},
"_cache": true
}
}
],
"must_not": [
{
"fquery": {
"query": {
"query_string": {
"query": "TargetUserSid:(\"S-1-0-0\")"
}
},
"_cache": true
}
},
{
"fquery": {
"query": {
"query_string": {
"query": "TargetUserName:(\"Altiris\")"
}
},
"_cache": true
}
}
]
}
}
}
}
}It's reporting that I have 17746 matching entries, so I either my environment is on the brink of collapse or I'm doing something wrong. My guess is the latter... Would I be better off with the custom query or should I use the Real-Time alert function?
The other thing I want to have happen is, in the email that's generated, I want it to provide a list of the unique TargetUserNames. I can do this with other alerts by using a line like this: <li>%uniquehosts%</li> but I don't know the comparable variable to get a list of users rather than hosts.
Can you folks help me out?
