Okay, so I have this ESA rule configured to detect 5 consecutive login failures followed by a successful login, and all within 5 minutes.
Although the rule triggers an alert on expected scenarios, a couple of significant observations -
1. The time window of 5 minutes does not hold if there are multiple source machines involved.
For instance, if the 1st event (login failure) occurs at 11:00am on machine X, the last event (login success) can occur at 11:30am or anytime after on machine Y, and the rule will still trigger provided the user account is the same.
This makes me wonder about the performance impact this may have on ESA. ESA is basically looking only for the sequence of '5 failed logins followed by a successful login' when more than 1 source machine is involved, and it seems is ready to wait for hours for the 6th and last event, a successful login.
2. The time window of 5 minutes does not hold if the last event of 'login success' has no source machine identified
For instance, if the first 5 events (login failures) occur within 5 minutes of each other in quick succession, and the login success event occurs at a time window of beyond 5 minutes but there's no event source machine identified for the event, the rule still triggers provided the user account is the same. It happens, no src_ip listed for a 'login success' or 'computer credential validation check' event at time.
Do note, the authentication is being done by AD.
My view is that I add a couple of conditions to the rule - ip_src exists and ip_src is distinct; but this will deprive me of utilizing this rule for checking logins across multiple devices.
Find below the logic for the rule configured on ESA.
This basic template is a placeholder for defining basic EPL content that can be
installed and executed in ESA. The sample below is the minimum that would be
required to get started.
Module debug section. If this is empty then debugging is off.
/* EPL section. If there is no text here it means there were no statements. */
@Description('Multiple Failed Logins Followed By a Successful Login by the Same User')
SELECT * FROM Event(
/* Statement: Login Failure */
(ec_activity.toLowerCase() IN ( 'logon' ) AND ec_outcome.toLowerCase() IN ( 'failure' ) AND user_dst IS NOT NULL)
/* Statement: Login Success */
(ec_activity.toLowerCase() IN ( 'logon' ) AND ec_outcome.toLowerCase() IN ( 'success' ) AND user_dst IS NOT NULL)
PARTITION BY user_dst
MEASURES E1 as e1_data , E2 as e2_data
PATTERN (E1 E1 E1 E1 E1 E2)
E1 as (E1.ec_activity.toLowerCase() IN ( 'logon' ) AND E1.ec_outcome.toLowerCase() IN ( 'failure' ) AND E1.user_dst IS NOT NULL),
E2 as (E2.ec_activity.toLowerCase() IN ( 'logon' ) AND E2.ec_outcome.toLowerCase() IN ( 'success' ) AND E2.user_dst IS NOT NULL)