topic Re: Can you help me create a usecase that will alert when a string of failed logins is followed by a successful login? in Splunk Enterprise Security

Can you help me create a usecase that will alert when a string of failed logins is followed by a successful login?

kokanne — Wed, 16 Mar 2022 14:12:35 GMT

I'm trying to make a usecase where it will alert when there are several attempts of failed logins and one of them succeeded in the past 10 minutes.

So it must do the following thing:
Alert when 10 failed logins are followed up by 1 successful log-in in the past 10 minutes.

Is there a possible way to do this? I'm currently using a query of a datamodel that shows all logins in the timeframe given to the search. The query:

| tstats summariesonly=true count from datamodel=Authentication by _time, "Authentication.src_user", "Authentication.action" 
| search (Authentication.src_user!="NULL SID" AND NOT Authentication.src_user="-" AND NOT Authentication.src_user="unknown")

Thanks in advance everyone

Re: Can you help me create a usecase that will alert when a string of failed logins is followed by a successful login?

rbreton — Fri, 02 Nov 2018 18:36:06 GMT

I am not sure of where you are getiting your data... But maybe you could modify this snippet..

index=wineventlog sourcetype=WinEventLog:Security (EventCode="4624" OR EventCode="4625") user!="*$" 
| eval count_failure = if(action=="failure", 1, 0), count_success = if(action=="success", 1, 0)
| eval time_failure = if(action=="failure", _time, "-"), time_success = if(action=="success", _time, "-")
| stats min(time_failure) as first_fail, sum(count_failure) as count_failure, min(time_success) as first_success by user
| eval time_difference = first_success - first_fail
| where count_failure > 0
| search time_difference>400
| eval first_fail=strftime(first_fail,"%Y-%m-%d | %H:%M:%S"), first_success=strftime(first_success,"%Y-%m-%d | %H:%M:%S")

Re: Can you help me create a usecase that will alert when a string of failed logins is followed by a successful login?

osakachan — Wed, 07 Nov 2018 07:15:30 GMT

Why not try with a subsearch, looking for failed logins. You can use a stats count by IP, computername or username and have where clause > 10.

You give that field and the time to the search for looking to successful logins. To control when it is done, you need to play with earliest and latetst time values of the searches.

Re: Can you help me create a usecase that will alert when a string of failed logins is followed by a successful login?

bcyates — Wed, 07 Nov 2018 19:17:07 GMT

The OOTB Brute Force Behavior correlation rule with ES already does this. Why are you trying to create a custom one?

Re: Can you help me create a usecase that will alert when a string of failed logins is followed by a successful login?

woodcock — Thu, 08 Nov 2018 02:11:04 GMT

Like this (maybe put some of the last | search stuff into the WHERE clause of tstats😞

| tstats summariesonly=true  count(eval('action'=="failure")) AS failure count(eval('action'=="success")) AS success
FROM datamodel=Authentication
WHERE index=*
BY _time span=10m "Authentication.src_user"
| search success>0 AND failure>=10 AND (Authentication.src_user!="NULL SID" AND NOT Authentication.src_user="-" AND NOT Authentication.src_user="unknown")

Re: Can you help me create a usecase that will alert when a string of failed logins is followed by a successful login?

solarboyz1 — Thu, 28 Feb 2019 14:34:08 GMT

Here's the Brute Force Correlation search in ES, you would just need to ensure your data is in the CIM datamodel.

| from datamodel:"Authentication"."Authentication" | stats values(tag) as tag,values(app) as app,count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success by src | search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium | `settags("access")`

Re: Can you help me create a usecase that will alert when a string of failed logins is followed by a successful login?

plaftaric — Wed, 16 Mar 2022 10:40:02 GMT

Note: 'TsidxStats': The tstats / mstats command cannot apply eval function to aggregation function.