How to create new vizualization for failed login attempts?

666 views
Skip to first unread message

Commercial League

unread,
Aug 26, 2024, 7:42:49 AM8/26/24
to Wazuh | Mailing List
Hi,

I see in the documentation https://documentation.wazuh.com/current/proof-of-concept-guide/detect-brute-force-attack.html that I can monitor failed login attempts. For me the most valuable graphs are "Alerts evolution - Top 5 agents" and "Top 5 agents". I would like to reuse these visualizations very often so I'd like to recreate the same functionality.
How I can recreate the two visualizations for more (20) agents in the Explore -> Visualize page?

I choose New Vertical Bar-> wazuh-alerts-* as source and in filter I select "Is one of ..." 60122, 60204 so I can get the total number of matching events. I cannot understand how to group events by top agents.

Would you suggest how do group them?

Kind regards,
Nikolay
 

Carlos Anguita López

unread,
Aug 28, 2024, 6:04:40 AM8/28/24
to Wazuh | Mailing List

Hello,

If I understand correctly what you want to do is to use a bar chart for more than 20 agents in descending order of number of alerts related to authentication problems.

What you could do would be:

  1. Choose the bar chart display type.
  2. On the X-Axis:
    a. Select aggregation by Terms -> agent.name
    b. Order -> Descending
    c. Size -> N (if N is large it could have impact on performance)
  3. Set Split Series to add one more condition
  4. In Split Series select in Aggregations -> Filters
    a. Set the filter to rule.id -> rules you are interested in.
    b. (optional) if you click on the tag icon next to the trash can you can custom label the filter.
  5. Once the filter is set you must drag and drop it to the first position of the buckets so that it pre-filters the query and the descending order of the agents is applied correctly.

IMPORTANT: the DQL queries are transformed to individual conditions for each of the ORs. This added to the size of the aggregation of the agents can seriously impact the performance.

Here is an image where you can see a configuration like the one described above:

image.png

In addition, I leave you the documentation of OpenSearch here: https://opensearch.org/docs/latest/dashboards/visualize/viz-index/

Hope it helps.

Commercial League

unread,
Sep 10, 2024, 11:06:04 AM9/10/24
to Wazuh | Mailing List
Thank you! That was exactly what I needed.
Reply all
Reply to author
Forward
0 new messages