Highlighted
Absent Member.
Absent Member.
240 views

Probable Successful Brute Force Report help

I'm trying to create a report for probable successful brute force login attempts. The problem is, there isn't a 'join' operator in the 'Conditions' section of the query. How can I get around this problem? I want to have an idential condition to the canned 'probable successfu brute force' rule, which uses a 'join' operator. Thank you!

0 Likes
4 Replies
Highlighted
Absent Member.
Absent Member.

Hi Jim,

you already have the Rule showing you the Results for probable Successful Brute Force Logins - why not just use the Events that this rule generates - it has very likely all Information you need.

What you are trying to do, join Conditions withing queries, is not possible.

BR,

Christoph

0 Likes
Highlighted
Absent Member.
Absent Member.

Thanks for the response, Christoph. Could you please elaborate? How would I go about creating a report off of correlated events?

0 Likes
Highlighted
Absent Member.
Absent Member.

You cannot use the Join operator on a query(historical), only on events (ie. in a rule). I would probably use a Rule to write the events you need to an Active List then query off of that to create the report. I think the Rule can generate it's own correlated event, but I like having the list so I can view it whenever I want.

Regards,

Aaron

0 Likes
Highlighted
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Jim,

Try the following conditions in your query:

type=Correlated & generatorUri=/All Rules/Real-time Rules/Intruston Monitoring/Attack Monltoring/Attackers/Successful Attacks/Probable Successful Attack - Brute Force
A correlated event is basically just an event. So after the rule fires a corresponding event is written to the events table and you can query it and use its data whenever you want. When this particular rule fires it generates a correlated event with the following fields populated (you can check this out in the Aggregation tab in the rule editor):

Brute_Force.Attacker Address

Brute_Force.Target Zone Resource

Brute_Force.Attacker Dns Domain

Login_Success.Target User Name

Brute_Force.Target Port

Brute_Force.Target Host Name

Brute_Force.Target Nt Domain

Brute_Force.Customer Resource

Brute_Force.Attacker Nt Domain

Brute_Force.Attacker Host Name

Login_Success.Target User ID

Brute_Force.Attacker Zone Resource

Brute_Force.Target Address

Login_Success.Target Service Name

Brute_Force.Target Dns Domain


HTH,

Ihar

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.