Inicio de sesión exitoso tras una ráfaga de fallos
Agregaciones filtradas por outcome: si el primer éxito del par IP/cuenta ocurre después del último fallo de una ráfaga, el brute force probablemente prosperó.
Requisitos
Elasticsearch 8.16+, logs d'authentification ECS
SQL
FROM "logs-auth-*"
| WHERE @timestamp >= NOW() - 24 hours
| STATS
echecs = COUNT(*) WHERE event.outcome == "failure",
succes = COUNT(*) WHERE event.outcome == "success",
dernier_echec = MAX(@timestamp) WHERE event.outcome == "failure",
premier_succes = MIN(@timestamp) WHERE event.outcome == "success"
BY source.ip, user.name
| WHERE echecs >= 10 AND succes > 0 AND premier_succes > dernier_echec
| EVAL delai_min = DATE_DIFF("minute", dernier_echec, premier_succes)
| KEEP source.ip, user.name, echecs, succes, delai_min
| SORT echecs DESC
| LIMIT 25Resultado
source.ip | user.name | echecs | succes | delai_min ---------------+-----------+--------+--------+---------- 203.0.113.66 | admin | 412 | 1 | 2 198.51.100.23 | j.bernard | 86 | 3 | 11 203.0.113.190 | svc-backup| 34 | 1 | 0 192.0.2.151 | m.roche | 12 | 2 | 47
SOCBrute forceCompromissionAuth