Building Detection Rules

The Scenario

Your VPN concentrator is getting hit with brute force login attempts. You can see it in the logs but your SIEM does not have a detection rule for it. You need a rule that triggers when any single IP fails VPN authentication more than 10 times in 5 minutes.

---

The Prompt

Write a SIEM detection rule for VPN brute force attempts. My setup:
- VPN: Cisco AnyConnect on ASA
- SIEM: Splunk (SPL query)
- Syslog format: ASA sends to Splunk via UDP 514

The rule should:
1. Detect more than 10 failed VPN logins from the same source IP within 5 minutes
2. Include the source IP, username attempted, and failure count
3. Trigger a Splunk alert with severity HIGH
4. Also show me the equivalent for:
   - Graylog (pipeline rule)
   - ELK (KQL query)

ASA log format for failed VPN:
%ASA-6-113005: AAA user authentication Rejected : reason = Invalid password : server = 10.1.1.50 : user = admin : user IP = 203.0.113.45

---

What AI Gives You

Detection rules for all three platforms:

Splunk SPL:

index=firewall sourcetype=cisco:asa "AAA user authentication Rejected"
| rex "user IP = (?<src_ip>[\\d.]+)"
| stats count as fail_count by src_ip, _time span=5m
| where fail_count > 10

Plus Graylog and ELK equivalents.

---

Try It Yourself

Pick a threat scenario your SIEM does not detect yet. Describe it to AI with your specific log format and platform. Deploy the rule in a test/dev environment first.