topic Excessive Failed login alert Investigation. in Security

Excessive Failed login alert Investigation.

BUSAKIN — Sun, 07 Nov 2021 01:25:59 GMT

How will i use Splunk to investigate an Excessive Failed login alert and what are things to look for?
Thanks,

Re: Excessive Failed login alert Investigation.

gcusello — Sun, 07 Nov 2021 06:57:33 GMT

you can find an example about excessive failed logins alert in the Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435/) with many other Security Use Cases.

But in few words, you have to identify the failed login condition forr each kind of system you're monitoring: e.g.:

for Windows Servers is: index=wineventlog EventCode=4625,
for Linux Servers is:
index=os sourcetype=linux_secure NOT disconnect "failed password",
etc...

Then you have to put the conditions in a search:

(index=wineventlog EventCode=4625) OR (index=os sourcetype=linux_secure NOT disconnect "failed password") | eval user=coalesce(Account_name, user) | stats count By host user | where count>10

In this sample I used as threeshold 10.

there a clearer but longer way that I prefer:

create an eventtype for each kind of condition (e.g.: windows_logfail, linux_logfail, etc...) associating the tag "LOGFAIL to all of them,
then run the above search using the simple search tag=LOGFAIL.

Ciao.

Giuseppe

Re: Excessive Failed login alert Investigation.

BUSAKIN — Sun, 07 Nov 2021 22:31:13 GMT

Hi gcusello,

It was, I was able to see failed login. sorry to say this, that I'm new to Splunk and I do not know How to investigate failed login attempts so this is the major issue. What and what do i need to look for and how to look for it.
Thanks

Re: Excessive Failed login alert Investigation.

gcusello — Mon, 08 Nov 2021 07:29:03 GMT

Hi @BUSAKIN,

as I said, the first thing is identify failed logins and tag them.

Then you can correlate failed logins to understand if the source or the destination of the brute force are defined sources or destinations so you can blacklist the sources or you can check the destination to understand if the brute force attempt was successful or not.

The way to do this is the correlation search I hinted in my previous answer that you can customize for your needs, e.g. to understand if the destinations are the same you could run something like this:

(index=wineventlog EventCode=4625) OR (index=os sourcetype=linux_secure NOT disconnect "failed password") | eval user=coalesce(Account_name, user) | stats values(src_ip) AS src_ip count By host user | where count>10

if instead you are interested to the source, you could run:

(index=wineventlog EventCode=4625) OR (index=os sourcetype=linux_secure NOT disconnect "failed password") | eval user=coalesce(Account_name, user) | stats values(host) AS host count BY src_ip user | where count>10

The threeshold depends on the timeframe you used.

As I said, see the Security Essentials App to have a guide to this and other Use Cases.

Ciao.

Giuseppe