Creating RDP Brute Force Alerts and Dashboards in Kibana Part 2/4

In this guide, we will walk through the process of setting up alerts and dashboards in Kibana to detect RDP brute force attacks and failed authentication attempts.

Step 1: Accessing Logs in Kibana

1. Open the Elastic GUI:

- Navigate to your Elastic instance and log into the GUI.

- Once logged in, click the hamburger icon (menu) in the top left.

2. Navigate to the Discover Tab:

- From the menu, select Discover. This will take you to the page where all logs are aggregated.

3. Set the Time Range:

- In the top-right corner, adjust the time frame to match the period you want to review (e.g., "Last 24 hours" or "Today").

- This ensures you’re viewing only the logs that are relevant to recent activity.

4. Filter by Agent Name:

- Use the filter bar to narrow down logs by specific hosts. For instance, if you want to focus on logs from your RDP server, use agent.name as the filter.

- Example query: agent.name:"RDP Server".

Step 2: Identifying Relevant Event IDs

1. Search for Failed Authentication Event IDs:

- Failed login attempts are typically logged with specific event codes. For instance, Event ID 4625 is associated with failed login attempts in Windows systems.

2. Filter by Event ID:

- In the search bar, enter event.code:4625 to filter out all other logs and display only failed login events.

- This allows you to focus on the data that’s most relevant to identifying brute force attacks.

Step 3: Customize the Table in Kibana

1. Add Key Fields:

- To make the logs more readable, you’ll want to add important fields like source.ip and user.name.

2. Modify the Table Layout:

- Click on the "Add" button next to these fields to include them in the display. This allows you to see who is attempting to log in and from which IP address.

3. Verify the Log Data:

- Once the table is updated with the necessary fields, review the logs to ensure that the information displayed matches real-world login attempts.

- For instance, compare the user.name field to known users of your system, and check the source.ip to identify if a particular IP is repeatedly attempting to log in.

Step 4: Create Alerts for Failed Logins

1. Save the Filtered Query:

- After filtering by event codes and verifying the data, save the search query by clicking the "Save" button at the top of the page.

- Name it something relevant like "RDP Failed Activity."

2. Navigate to the Alerts Section:

- On the top right corner, select Alerts.

- Click on Create Alert.

3. Set the Alert Conditions:

- For this alert, set conditions such as triggering when more than five failed login attempts happen within 5 minutes.

- You can modify this based on your security needs.

4. Customize Alert Action:

- Define what happens when an alert is triggered. For instance, you can send an email to your security team, trigger a webhook, or log the event into a separate index for further analysis.

Step 5: Fine-Tuning Alerts with Custom Rules

1. Go to the Rules Section:

- In Kibana, go to the Rules section under Security.

2. Create a Custom Rule:

- Click on Create New Rule and set the name and description for your custom rule (e.g., "SSH Brute Force Detection").

3. Input the Query for the Rule:

-While defining the rule there a a couple of option, we will choose Threshold.

- Use the previously filtered query as the base for your rule. You can add additional filters for fields like user.name and source.ip to further narrow down potential brute force attempts.

- Example query: event.code:4625 AND source.ip:* AND user.name:*.

4. Define Rule Parameters:

- Set the severity, risk score, and whether to group the alerts by source IP or username.

- You can create different risk categories based on the number of failed attempts or the origin of the IP address.

5. Set Alert Frequency:

- Specify how often the rule should check for this event (e.g., every 5 minutes).

- Save the rule and start monitoring for failed login attempts.

Step 6: Testing Your Alerts

1. Simulate a Failed Login Attempt:

- You can test your alert by intentionally failing to log in to your system (e.g., enter incorrect credentials a few times).

2. Check if the Alert is Triggered:

- If the alert is set up correctly, Kibana should trigger the alert and notify you based on your configured actions (email, Slack, webhook, etc.).

3. Monitor and Refine:

- Regularly check the alert dashboard to ensure it’s functioning as expected and refine the query as necessary to reduce false positives or enhance detection accuracy.

Step 7: Create a Dashboard for Monitoring

1. Navigate to the Dashboard Section:

- In Kibana, go to Dashboard from the left-hand menu.

2. Add Visualizations:

- Create visualizations based on the fields you’ve filtered in previous steps. For example, you can visualize failed login attempts by IP, or create a chart showing login attempts over time. FYI, it is only available on Enterprise edition.

3. Customize the Dashboard:

- Include pie charts, bar graphs, and tables that display real-time data related to login attempts, successful logins, and failed logins.

- Make this dashboard your go-to view for monitoring security events.

Conclusion

With these steps, you’ve successfully created alerts and dashboards in Kibana to monitor and respond to SSH and RDP brute force attacks and failed login attempts. This setup helps you stay on top of potential threats and improve your system’s security posture.

Follow along for part 3 of creating alerts and dashboards in Kibana.