Cloning/Creating A detection ES8
Find a detection you want to clone in our case it is "Excessive Failed Logins"
In the row of the detection you are wanting to clone all the way on the right there are 3 dots. Click them and hit clone
It will pop up a menu. Best practice add a unique name to tell the two detentions apart
<your business> - Excessive Failed Logins
Select enterprise security app if not already selected
Under event-based detection
The cloned app is set to guided we want manual
Under detection search
We will be changing the default search. What we are wanting is the email to appear in the event alert
| from datamodel:"Authentication"."Failed_Authentication"
| bin _time span=5m
| stats values(tag) as tag,
dc(user) as user_count,
values(user) as users,
dc(dest) as dest_count,
count by app, src, _time
| where count >= 6
| iplocation src
| table _time app src Country users user_count dest_count count5.1. (Side note)Having a table as the out seem to work best for me.
Example
| table _time app src Country users user_count dest_count countIn the Analyst Queue
Title (since the output of the main search is in a table you can use the vars in anything below the first search box)
$users$ Excessive Failed Logins -> baric@123fake.xyz Excessive Failed login
Description (The same var rules apply here as above)
Drill down Searches (Sub Searches that take in vars from the main search to dig deeper, must be clicked does not auto populate)
Name (can also use the vars from the main search )
Search for $src$
Below is a example, on what you can put
index=* src="$src$"
| table _time user src app action dest _raw
| sort -_timeThrottling
I have mirrored the default detection's to have it run every 23 hours
I have found that some searches will run every time when you set a time and will fill up the analyst Queue
Setting it to 86300 seconds witch is roughly 23 hours it works better ....
Last updated