Excel File for brute force investigation

We have dnif installed and there is a brute force alert in signals section
can someone help me get customer securtiy log in excel
need this for investigation and response?

hello anybody can help?

Hi boheha,
Thank you for giving us a try. I welcome you to DNIF Community.

I can certainly help in generating security logs in excel format.

  1. From the signals page, please select the workbook icon which takes you to the actual detection rule that has caused this Signal to raise in the first place. (This icon is on the right hand side of the signal, in your case Brute force signal)
  2. Click on the Search (magnifying glass) which will fetch you search results It will give you the relevant logs that raised the signal.
  3. You can add more details use Find page to narrow your selection to exact log information which you wish to export in Excel. For example in your case - Go to find, in search block add filters: Stream - AUTHENTICATION, System-Target host detected in signal, Action- LOGIN and set duration as per the appropriate time frame.
  4. Once you get the required details, you can export the logs in xlsx format to your email using DQL. Please use + icon to add a DQL block.

Here is the syntax: _export xlsx notify_email

For more information about export, please refer to DQL Export Directive Guide

Let us know if this helps.

Regards,
BodhiSaar

1 Like

TY bodhisaar!!
can i also change timetravel to include more duration? its only allowing close action

Hi bohena,
Please go ahead and give it a try.
Using ‘Time travel’ you will understand when this signal was executed. If a signal was executed in the last five minutes, It will allow you to go back and investigate what happened in the last five minutes that triggered the signal. So you can actually see the list of events that caused the signal to rise.

Hope this helps.

Regards,
BodhiSaar

1 Like