ES|QL

Password spraying: muchas cuentas, pocos intentos

La firma inversa del brute force: una IP prueba numerosas cuentas con 1-3 intentos cada una para mantenerse por debajo de los umbrales de bloqueo.

Requisitos

Elasticsearch 8.12+, logs d'authentification ECS

SQL

FROM "logs-auth-*"
| WHERE event.outcome == "failure"
  AND @timestamp >= NOW() - 1 hour
| STATS
    comptes = COUNT_DISTINCT(user.name),
    tentatives = COUNT(*)
  BY source.ip
| EVAL tentatives_par_compte = ROUND(TO_DOUBLE(tentatives) / comptes, 1)
| WHERE comptes >= 15 AND tentatives_par_compte <= 3
| SORT comptes DESC
| LIMIT 25

Resultado

source.ip     | comptes | tentatives | tentatives_par_compte
--------------+---------+------------+----------------------
198.51.100.34 |     412 |        743 |                   1.8
203.0.113.187 |     186 |        521 |                   2.8
192.0.2.91    |      48 |         58 |                   1.2
203.0.113.66  |      19 |         24 |                   1.3

SOCPassword sprayingDétectionAuth

Snippets relacionados

← Volver al Data Lab