Probable Successful Brute Force Report help
I'm trying to create a report for probable successful brute force login attempts. The problem is, there isn't a 'join' operator in the 'Conditions' section of the query. How can I get around this problem? I want to have an idential condition to the canned 'probable successfu brute force' rule, which uses a 'join' operator. Thank you!
you already have the Rule showing you the Results for probable Successful Brute Force Logins - why not just use the Events that this rule generates - it has very likely all Information you need.
What you are trying to do, join Conditions withing queries, is not possible.
You cannot use the Join operator on a query(historical), only on events (ie. in a rule). I would probably use a Rule to write the events you need to an Active List then query off of that to create the report. I think the Rule can generate it's own correlated event, but I like having the list so I can view it whenever I want.
Try the following conditions in your query:
type=Correlated & generatorUri=/All Rules/Real-time Rules/Intruston Monitoring/Attack Monltoring/Attackers/Successful Attacks/Probable Successful Attack - Brute Force
A correlated event is basically just an event. So after the rule fires a corresponding event is written to the events table and you can query it and use its data whenever you want. When this particular rule fires it generates a correlated event with the following fields populated (you can check this out in the Aggregation tab in the rule editor):
Brute_Force.Target Zone Resource
Brute_Force.Attacker Dns Domain
Login_Success.Target User Name
Brute_Force.Target Host Name
Brute_Force.Target Nt Domain
Brute_Force.Attacker Nt Domain
Brute_Force.Attacker Host Name
Login_Success.Target User ID
Brute_Force.Attacker Zone Resource
Login_Success.Target Service Name
Brute_Force.Target Dns Domain