This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Event type for login failure

Posted on 03-03-2024 11:26 PM
srijankafle
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi,

How can we filter logs related to authentication failure across all log sources. We can see authentication activities using metadata.event_type="USER_LOGIN" but this contains overall login activities not just success and failure

Solved Solved
0 4 519
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

The best place to start would be the base search like this:

metadata.event_type = "USER_LOGIN" and security_result.action = "BLOCK"

Like metadata.event_type, security_result.action is an enumerated field so there are a fixed set of values allowed. These include 

 

Enum Value Enum Number Description
ALLOW 1 Allowed.
ALLOW_WITH_MODIFICATION 3 Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded).
BLOCK 2 Blocked.
CHALLENGE 6 Challenged (e.g. the user was challenged by a Captcha, 2FA).
FAIL 5 Failed (e.g. the event was allowed but failed).
QUARANTINE 4 Put somewhere for later analysis (does NOT imply block).
UNKNOWN_ACTION 0 The default action.

https://cloud.google.com/chronicle/docs/reference/udm-field-list#securityresultaction

Hopefully this gets you going in the right direction!

 

View solution in original post

Jump to Solution
4 REPLIES 4
Top Solution Authors
View all