You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It could be useful to grab the key used in the json_map field and be able to track by whatever the user defined in json_map. Here's an example:
alert any $HOME_NET any -> $HOME_NET any (msg:"[WINDOWS-AUTH] Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller [100/1]"; \
program:Microsoft-Windows-NTLM/Operational; \
json_map:"event_id",".EventID";
event_id:8004; \
json_map:"host.workstationName",".WorkstationName"; \
json_map:"host.username",".Hostname"; \
after: track by_host.workstationName&by_host.username, count 10, seconds 60; \
threshold: type suppress, track by_host.workstationName&by_host.username, count 1, seconds 60; \
classtype:attempted-user; sid:1111111; rev:1;)
In the example we can use the predetermined fields, like event_id, or a user defined variable. This give the ability to track by two or more strings with after and/or threshold. If this can be done, maybe the same can be done with liblognorm. Any fields that are defined using liblognorm can be tracked with after and/or threshold.
The text was updated successfully, but these errors were encountered:
It could be useful to grab the key used in the
json_mapfield and be able to track by whatever the user defined injson_map. Here's an example:In the example we can use the predetermined fields, like
event_id, or a user defined variable. This give the ability to track by two or more strings withafterand/orthreshold. If this can be done, maybe the same can be done with liblognorm. Any fields that are defined using liblognorm can be tracked withafterand/orthreshold.The text was updated successfully, but these errors were encountered: