In QRadar there is by default an active rule named
Multiple Login Failures for Single Username containing the following criteria/tests
and when an event matches any of the following BB:CategoryDefinition: Authentication Failures and when at least 4 events are seen with the same Username in 1 minutes
which I understand is basically what you described as a starting point.
You can see that the first test references a Building Block - which is essentially equivalent to referencing another rule.
(this BB tests if the events match the categories such as
Authentication.Admin Login Failure, Authentication.Auth Server Login Failed, Authentication.FTP Login Failed, Authentication.General Authentication Failed, Authentication.Host Login Failed, etc.)
Also, by default, in QRadar there is an active rule named
Login Failures Followed By Success to the same Username containing the following criteria/tests:
and when BB:CategoryDefinition: Authentication Success match at least 1 times in 5 minutes after any of Multiple Login Failures for Single Username match with the same UsernameThis rule is checking if there is at least once a match a rule (here a Building Block looking for Authentication Success events) after there is a match to a rule named
Multiple Login Failures for Single Username is matched at least once.
This rule by default sends a custom events, creates an offense; it can easily be updated to send an email as well.
In this form, the username can be any username parsed from events, but the tests will track the repeated occurrence of a username. If you need to track one or several particular usernames (e.g. you want to track only those with some kind of privileged use), you can populate a reference set with your data and update the rule with additional test that will check if the username is in the reference set.
Of course, you can tweak the count and time parameters to your needs.
------------------------------
Dusan VIDOVIC
------------------------------
Original Message:
Sent: Wed June 01, 2022 07:11 AM
From: Slavcho Andreevski
Subject: How to make a particular offence or rule
It is not about specific users.. I want the rule to send me notification if a username (exp. Slavcho) inputs his password wrong 3 times and than the same user logs in successfully to the domain server.. I have the rule which sends me a notification if a user inputs his password wrong. The rule that exists fires a notification for all the users not just for 1 user (i mean if 3 users input a wrong password and 4th one inputs it correctly it fires the notification which is not what i want..)
------------------------------
Slavcho Andreevski
Original Message:
Sent: Fri May 27, 2022 03:32 AM
From: Dusan VIDOVIC
Subject: How to make a particular offence or rule
Slavčo, (if I understood the question properly) you can make the rule that calls other rules - such as:
AND when these rules match at least this many times in this many minutes after any of these rules match
or
AND when these rules match at least this many times with the same event properties in this many minutes after these rules match
Actually, there is a rule in QRadar already there you can maybe use as a guidance or template:
Login Failures Followed By Success to the same Destination IP
AND when BB:CategoryDefinition: Authentication Success match at least 1 times in 5 minutes after any of Multiple Login Failures to the Same Destination match with the same Destination IP
If it is about specific users, you can maybe use a combination of criteria that will search in a Reference set or another building block.
------------------------------
Dusan VIDOVIC
Original Message:
Sent: Thu May 26, 2022 05:20 AM
From: Slavcho Andreevski
Subject: How to make a particular offence or rule
Hi people,
I wanted to ask if you could tell me how can i make a rule if a user is logged in successfully on a particular server after 3 failed attempts. I made the rule to get notifications if a user has 3 failed login attempts but now i can not figure how can i make a rule to send me a notification if the user has logged in successfully after those 3 failed attempts.
Thank you
------------------------------
Slavcho Andreevski
------------------------------