When should I use a scheduled search or create a correlation alert?


1 comment

  • Avatar
    Matt Sayler

    An alternate form of this query can be used to aggregate results over a short period and collect results as a matching set.

    Queries like this will

    • alert in near real-time
    • only general a fixed number of alerts / time period
    • be able to include more (summary) data
    -- Return a set of hosts which have generated Windows User Account Locked Out messages. This query
    -- is aggregated over a short window, to ensure both low latency and capturing all data
    -- Each row includes:
    -- A time interval for aggregation, formatted in UTC/GMT
    -- The set of unique combinations of:
    -- host where the lock-out occurred
    -- The source of the login attempt (if available)
    -- The domain of the requesting user
    -- The user name of the requesting user
    -- 300 second aggregation interval = 5 minute maximum delay
    INTERVAL(time_recv, 300) AS "Epoch time",
    FROM_EPOCHTIME("Epoch time", '%Y-%m-%d %H:%M:%S GMT') AS "Time Interval",
    COUNT(message) AS "Count",
    SET(CONCAT(['host: ', parsed.token_names.header.addr.host_name,
    ' source_host: ', parsed.token_names.header.addr.host_name.src_host_name,
    ' caller_domain: ', parsed.token_names.header.addr.domain.caller_domain,
    ' target_user: ', parsed.token_names.user.user_name.target_user_name])) AS "Sources and callers"
    FROM logmsgs
    parsed.rule_name = 'Windows User Account Locked Out'
    GROUP BY "Epoch time", "Time Interval"
    HAVING "Count" > 0

Please sign in to leave a comment.