Sigma Detections Filter #13272

simonkey7 · 2024-06-27T09:02:11Z

simonkey7
Jun 27, 2024

Version

2.4.80

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

8

RAM

24

Storage for /

100

Storage for /nsm

100

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I have a question about the new detections module.
I have a sigma rule to monitor a windows user fail login. The following works properly

title: Detection of Failed Windows Logins
id: jkl23456-7890-1bcd-efgh-567890123456
description: Detects failed login attempts on Windows systems.
status: stable
author: Your Name
date: 2020/05/17
logsource:
    category: authentication
    product: windows
detection:
    selection:
        EventID: 4625
    condition: selection
fields:
    - EventID
    - AccountName
    - AccountDomain
    - LogonType
    - LogonProcessName
    - IPAddress
    - WorkstationName
    - Status
    - FailureReason
    - SubjectUserSid
    - SubjectUserName
    - SubjectDomainName
    - SubjectLogonId
level: medium
tags:
    - attack.brute_force
    - attack.credential_access

How can I create a custom filter in the detections tab to filter, when this event has happend three times in one minute?

I was trying like this, but when I convert it the message Request failed with status code 500 happens:

detection:
    selection:
        EventID: 4625
    timeframe: 1m
    condition: selection | count(UserName) by UserName > 3

Do I have to create a custom ElastAlert2 Config?

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by defensivedepth

Jun 28, 2024

This is not currently possible in Detections because of Sigma and EQL/Lucene.

The good news is that the Sigma project has recently come out with support for more complex rules like this and it is supported in Elastic ES|QL. (Still very early support) There is no timeline at this point for when it will be supported in Security Onion.

View full answer

defensivedepth · 2024-06-28T20:18:50Z

defensivedepth
Jun 28, 2024
Maintainer

This is not currently possible in Detections because of Sigma and EQL/Lucene.

The good news is that the Sigma project has recently come out with support for more complex rules like this and it is supported in Elastic ES|QL. (Still very early support) There is no timeline at this point for when it will be supported in Security Onion.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Sigma Detections Filter #13272

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Sigma Detections Filter #13272

Uh oh!

simonkey7 Jun 27, 2024

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 1 comment

Uh oh!

defensivedepth Jun 28, 2024 Maintainer

simonkey7
Jun 27, 2024

defensivedepth
Jun 28, 2024
Maintainer