Detect Brute Force


Brute Force is a method for solving mathematical problems. It belongs to the class of methods for finding a solution by exhausting all kinds of options. The complexity of a complete search depends on the number of all possible solutions to the problem.

  • QRadar AQL
SELECT count("category") as agg_val from events where search_payload ilike '%failure%' group by "destinationip" having agg_val > 30 LAST 600 seconds
  • Splunk
action="failure" | eventstats dc(category) as val by dst_ip | search val > 30 | table src_ip,dst_ip,user
  • Windows PowerShell
Get-WinEvent | where {$_.message -match "action.*failure" } | select dst_ip, category | group dst_ip | foreach { [PSCustomObject]@{'dst_ip'=$_.name;'Count'=($_.group.category | sort -u).count} } | sort count -desc | where { $_.count -gt 30 }

Leave a Reply

Your email address will not be published.