ES|QL

Password spraying: many accounts, few attempts

The inverse signature of brute force: one IP tries many accounts with 1-3 attempts each to stay under lockout thresholds.

Prerequisites

Elasticsearch 8.12+, logs d'authentification ECS

SQL

FROM "logs-auth-*"
| WHERE event.outcome == "failure"
  AND @timestamp >= NOW() - 1 hour
| STATS
    comptes = COUNT_DISTINCT(user.name),
    tentatives = COUNT(*)
  BY source.ip
| EVAL tentatives_par_compte = ROUND(TO_DOUBLE(tentatives) / comptes, 1)
| WHERE comptes >= 15 AND tentatives_par_compte <= 3
| SORT comptes DESC
| LIMIT 25

Result

source.ip     | comptes | tentatives | tentatives_par_compte
--------------+---------+------------+----------------------
198.51.100.34 |     412 |        743 |                   1.8
203.0.113.187 |     186 |        521 |                   2.8
192.0.2.91    |      48 |         58 |                   1.2
203.0.113.66  |      19 |         24 |                   1.3

SOCPassword sprayingDétectionAuth

Related snippets

← Back to the Data Lab