0

Consider the use case where we need to find the pattern for a attack like 10 failed logons from the same device and same username followed by a success logon from different device but same username. This should happen within 10 mins.

Let us say we have 10 login failed windows events with user A as username and B as devicename and we have a success logon from user A with different device C, we should raise an alert. Please let me know how flink CEP can be used to solve the case.

JDForLife
  • 91
  • 2
  • 10
  • The above use case can also be extended to the following scenario - Pattern 1 followed by within 10 mins Pattern 2 followed by within 30 mins Pattern 3. Pattern 1: 10 failed logins from the same username and same device within 10 mins. Pattern 2: 10 failed logins from the same username and distinct devices within 10 mins. Pattern 3: success logins from the same username and any device. Kindly let me know how apache fink can manage this kind of scenarios – JDForLife Nov 10 '21 at 12:26

1 Answers1

1

This is rather similar to Apache Flink - Matching Fields with the same value. In this case you might try MATCH_RECOGNIZE with something this:

PARTITION BY user
...
PATTERN (F{10} S) WITHIN INTERVAL '10' MINUTE
DEFINE
  F.status = 'failure' AND (LAST(F.device, 1) IS NULL OR F.device = LAST(F.device, 1)),
  S AS S.status = 'success' AND S.device <> LAST(F.device, 1)

The idea is to check that each new F is for the same device as the previous one, and S is for a different device.

BTW, in practice you might rather specify F{10,} so that the pattern matches 10 or more failed attempts in a row, rather than exactly 10.

David Anderson
  • 39,434
  • 4
  • 33
  • 60