One common use for the Alert Logic Search function—which you can utilize in the Alert Logic console at (navigation menu) > Investigate > Search > Search—is generating an alert when you receive log messages matching a pattern. For example, you can use a query like this to detect when failed logins to Windows machines cause a user to be locked out:
Sample Query: Windows Account Lockouts
-- Return a list of hosts which have generated Windows User Account Locked Out messages.
-- Each row includes:
-- The host where the lock-out occurred
-- The source of the login attempt (if available)
-- The domain of the requesting user
-- The user name of the requesting user
-- See also https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740
SELECT
time_recv AS "Time Received",
parsed.token_names.header.addr.host_name AS "Host Name",
parsed.token_names.header.addr.host_name.src_host_name AS "Src Host Name",
parsed.token_names.header.addr.domain.caller_domain AS "Caller Domain",
parsed.token_names.user.user_name.target_user_name AS "Target User"
FROM logmsgs
WHERE
parsed.rule_name = 'Windows User Account Locked Out'
ORDER BY "Time Received" DESC
To utilize this query immediately, open this query in the Alert Logic console.
Scheduled Search or Correlation Alert?
You can create an alert based on the above query in two ways: as a scheduled search or as a correlation alert. As a rule of thumb, use scheduled search for periodic reporting of every matching message and use correlation alerts when you want to receive an immediate alert when something unusual happens.
Scheduled Search
A scheduled search is executed periodically—for example, every day at midnight. A scheduled search always looks for data in the previous interval—a weekly search will look for matching messages with a timestamp in the last seven days. You can choose to receive an email alert every time the search is executed, or only when matching data is found. You can also choose to directly include matching messages in the email alert. Scheduled searches work well when you want to implement a process to review data every day, week, etc. They can return thousands of messages at a time, and the results are available to view later in the Downloads tab of the Search console.
Correlation Alert
A correlation alert is triggered whenever matching data is processed by Alert Logic. The sample query above will generate one alert for each Windows User Account Locked Out message. The alert can be customized to appear either as an incident or only as an alert. Note: incidents generated this way are not reviewed by the Alert Logic Security Operations Center. You can customize the text of the alert based on the fields in the SELECT statement, like Host Name and Target User in the sample. To avoid overwhelming yourself with notifications, there are options to suppress duplicate alerts. In addition, there is a limit of 300 alerts each hour for any correlation.
Summarized: Scheduled Search vs. Correlation Alert
To summarize the uses of scheduled searches and correlation alerts:
Scheduled Search | Correlation Alerts | |
---|---|---|
Frequency | Hourly, every 6 hours, daily, weekly, monthly | Only when detected |
Contents of alert | All matching results during last period | One matching result |
Where are results available? |
Downloads tab |
Optionally, Incident console |
Limits |
Default: 1000 results Maximum: 500000 results |
300 per hour, per correlation |
Typically used for |
Creating review processes Compliance reports |
Alerting for unusual occurrences |
Additional Resources
For more information on scheduled searches and correlation alerts, see the following knowledge base articles and pieces of documentation:
Comments
1 comment
An alternate form of this query can be used to aggregate results over a short period and collect results as a matching set.
Queries like this will
Please sign in to leave a comment.