Skip to main content
Sumo Logic

Lab 4 - Account compromise detection from a brute force attack

Parsing your logs allow you to provide structure to your messages, identifying the fields that are meaningful to you.

Screen Shot 2020-08-05 at 5.39.20 PM.pngBrute force cyber attacks account for 5% of security breaches on governments, businesses, organizations, and private individuals. The actors are getting more and more cleaver in their techniques so you want to catch these attempts. You can detect this brute force attempt by monitoring AWS CloudTrail data for a high number of failed login attempts within a period of time. 

In this lab you will detect a brute force hacking technique Screen Shot 2020-04-30 at 1.49.38 PM.pngused to find out the user credentials by applying both if conditional statements and aggregation with the sum operator.

 

Lab Activity

Scope and parse

  1. To create a query to produce the Possible Brute Force Attempts, click +New and select Log Search and set the timeframe for a 24 hour period.   

  2. Set your _sourceCategory to the AWS CloudTrail source.

_sourceCategory=Labs/AWS/CloudTrail

  1. For this query we are going to need to extract the following five JSON fields.  You query now look like this:

_sourceCategory=Labs/AWS/CloudTrail
| json field=_raw "userIdentity.userName" as actor
| json field=_raw "eventType" as event_type
| json field=_raw "sourceIPAddress" as src_ip
| json field=_raw "responseElements.ConsoleLogin" as result
| json field=_raw "eventName" as event_name

  1. Run the query and observe the parsing occurring in the field browser and field window.

Screen Shot 2020-08-05 at 5.22.54 PM.png

Create the parameter

  1. Similar to the last lab, you can create a parameter for event_type and actor, at the bottom of the query add the below two where filters with variables. The parameter window will appear. 

| where event_type matches {{event_type}}
| where actor matches {{actor}}

  1. In the parameter window, type an asterisk * in each field. This will provide the wildcard as a default for each parameter's value.

Screen Shot 2020-07-29 at 1.55.10 PM.png

 

Aggregate data over time

  1.  To analyze data over time, you can apply timeslice to group our incoming log data into 1 hour quantities.  Next you can test for either a success or failure using if conditionals. Using the wildcard, you can add a filter test for any actor or event_type match. Then aggregate the data to get the total successes and failures, by using sum

| timeslice 1h
| if(result = "Success",1,0) as success_count
| if(result = "Failure",1,0) as failure_count
| sum(success_count) as Success, sum(failure_count) as Failure by _timeslice,actor,event_type

 

  1. To detect the failures we can filter using the where and then calculate the failure percent.  To detect a brute force attack, you want to isolate down to the users that failed at a very high percentage, not just someone that legitimately forgot their password a couple of times. 

| where Failure>0
| Failure/Success*100 as Failure_percent

Note: Generally speaking by definition, a brute force, where someone is trying just anything to login, would be indicated if the failure percent is over 100. 

 

Note: This query will detect a brute force script running within a very short time frame. You should see this within minutes of it happening, especially if you set up an alert. Then you can chose to respond with possible further investigation or immediate actions

  1. The entire query should should look like this:

_sourceCategory=Labs/AWS/CloudTrail
| json field=_raw "userIdentity.userName" as actor
| json field=_raw "eventType" as event_type
| json field=_raw "sourceIPAddress" as src_ip
| json field=_raw "responseElements.ConsoleLogin" as result
| json field=_raw "eventName" as event_name
| where event_type matches {{event_type}}
| where actor matches {{actor}}
| timeslice 1h
| if(result = "Success",1,0) as success_count
| if(result = "Failure",1,0) as failure_count
|sum(success_count) as Success, sum(failure_count) as Failure by _timeslice,actor,event_type
| where Failure>0
| Failure/Success*100 as Failure_percent

  1. Run the query. In the aggregate tab, we are currently looking at the table view. You will see the below results.

Screen Shot 2020-07-29 at 2.13.15 PM.png

Add the panel to the dashboard

  1. Now we have the data we want that we want to add to our existing dashboard.  Let's add this to the dashboard you created to your SOC_<your intials###> dashboard, by clicking Add to Dashboard button in the aggregates tab. Use the following panel name, Possible Brute Force Attempts in the popup window.

Screen Shot 2020-08-05 at 6.16.41 PM.png

  1. Since we are adding to an existing dashboard that already has the parameters from the previous lab, this popup appears to confirm you want to merge parameters, click Add Panel.



Screen Shot 2020-07-29 at 2.21.09 PM.png
 

  1. Now you have created three panels for your starter SOC_<your initials###> dashboard. Your dashboard should look like the one below.clipboard_e9bbfdc0ff22bac05ea3256035dee4268.png

 

Quiz  (True or False?)

  1. The _raw refers to the raw data in the incoming logs in this example: json field=_raw "eventType" as event_type .
  2. If result matches failure_count then return a 1 to "Failure" in this example:  if(result = "Failure",1,0) as failure_count.
  3. When you use timeslice 1h you are grouping the incoming logs into 1 hour groups for the purpose of analyzing data over time.

Summary

Congratulations! You’ve completed the following tasks:

  1. Learned how to use if conditionals.
  2. Reviewed how to create a parameter in a query.
  3. Added a fourth panel to an existing dashboard.
  4. Aggregated data using the sum operator.