topic Re: Baseline and query for Anomalous Invalid Login Attempts in Security

Baseline and query for Anomalous Invalid Login Attempts

suvamondal — Tue, 29 Sep 2020 08:02:59 GMT

I am working on Anomalous Invalid Login Attempts where I need to do multiple login from a same user from different sites in 30 mins time span, so the below query I implemented

sourcetype=msad-successful-user-logons OR (EventCode=540 OR EventCode=4624)
NOT (user=$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown)
| lookup ADSitesAndSubnets name as src_ip OUTPUT description as SiteName name as Subnet
| search NOT (SiteName=KDC OR SiteName=NDC) )### both are same region so not require
| lookup ComputerIPAddressTemporal ip AS src_ip OUTPUT computer AS ComputerName
| stats first(_time) as LastEventTime last(_time) as FirstEventTime by user src_ip SiteName ComputerName
| eval LogonData = ComputerName . "|" . SiteName . "|" . src_ip . "|" . strftime(FirstEventTime, "%H:%M:%S") . "|" . strftime(LastEventTime, "%H:%M:%S")
| stats dc(SiteName) as Number_Sites values(LogonData) as LogonData by user | where Number_Sites >= 2
| mvexpand LogonData

| rex field=LogonData "^(?<ComputerName>[^|]+)|(?<SiteName>[^|]+)|(?<src_ip>[^|]+)|(?<FirstEventTime>[^|]+)|(?<LastEventTime>[^|]+)$"

| ldapfilter domain=NEXEOSOLUTIONS search="(sAMAccountName=$user$)" attrs="distinguishedName"

| search distinguishedName="*OU=Nexeo Sync"

| sort user SiteName ComputerName
| table user SiteName ComputerName src_ip FirstEventTime LastEventTime

Now my requirement is to define more baseline for “Anomalous Invalid Login Attempts”.
My question is what could be the possible baselines in this scenario and what will be query for that.

Re: Baseline and query for Anomalous Invalid Login Attempts

jsven7 — Wed, 02 Dec 2015 12:20:46 GMT

Are you trying to get a report? Can you provide some sample data and the conditions that represent "Anomalous Invalid Login Attempts"?

Re: Baseline and query for Anomalous Invalid Login Attempts

hagjos43 — Wed, 02 Dec 2015 12:45:59 GMT

Defining a baseline can be tricky as each system and environment is different. You might need to build a dashboard with multiple panels (queries) to give you a broad idea of average behavior over time. I see you're in a windows environment, I'll suggest taking a look at a few known working Windows queries here: http://gosplunk.com/category/wineventlogsecurity/ You can probably find a few queries to throw together in a dashboard, as well as use and abuse the queries to come up with something that'll suit your needs.

In addition, I'd use statistical functions such as average, median, standard deviation (etc, etc) over a proper period of time (week / month, weekend vs weekday) to properly determine behavior and baselines.

My $.02 at least 🙂