场景 01 - 暴力破解检测完整方案

场景概述

攻击者尝试通过多次尝试猜测账号密码，获取系统访问权限。

QRadar 检测方案

1. 规则配置

规则名称: [Authentication] Brute Force Login Detection

Test:
when an event matches any of the following BB:CategoryDefinition: Authentication
and when QIDNAME(qid) = 'Failed Login'
and when at least 5 events are seen
within 5 minutes
from the same Source IP

Action:
emit an offense named "Brute Force: {sourceip}"
and set the magnitude to 7
and send email to [email protected]

Rule Response:
Limit offenses per hour: 10

2. AQL 调查查询

-- 查找暴力破解源
SELECT sourceip, username, COUNT(*) as attempts
FROM events
WHERE QIDNAME(qid) = 'Failed Login'
GROUP BY sourceip, username
HAVING attempts >= 5
ORDER BY attempts DESC
LAST 24 HOURS
 
-- 检查是否有成功登录
SELECT sourceip, username, QIDNAME(qid)
FROM events
WHERE sourceip IN (
    SELECT sourceip FROM events
    WHERE QIDNAME(qid) = 'Failed Login'
    GROUP BY sourceip HAVING COUNT(*) >= 5
)
AND CATEGORYNAME(category) = 'Authentication'
ORDER BY starttime
LAST 24 HOURS

3. 响应流程

配套资源

📄 02-intermediate/02-rules-and-building-blocks.md
📄 02-intermediate/03-offense-investigation.md

场景 01 - 暴力破解检测完整方案

场景概述

QRadar 检测方案

1. 规则配置

2. AQL 调查查询

3. 响应流程

配套资源

评论

相关文章

CLI 速查表

AQL 速查表

REST API 速查表