topic Re: Query for Suspicious Logon Behavior in Splunk Search

Search for Suspicious Logon Behavior

johann2017 — Wed, 30 Sep 2020 03:25:07 GMT

Hello there. I want to build a query that alerts off when a single source IP or source computer is attempting to logon to multiple computers (Event Code's 4624 and 4625). How can I go about this?

I tried with the query below but its not differentiating single to many logon attempts, it is returning also single to single attempts which is not what I want.

index=windows-logs (EventCode=4624 OR EventCode=4625) src_ip=* src!=10.1.2.23 | top Account_Name, src_ip limit=0 countfield="Total" showperc=f | where Total > 20 | rename src_ip AS "Source IP Performing Remote Login Attempts"

Re: Query for Suspicious Logon Behavior

martynoconnor — Wed, 30 Sep 2020 03:27:57 GMT

Something like this?

index=windows-logs (EventCode=4624 OR EventCode=4625) src_ip=* NOT src="10.1.2.23"
| stats dc(host) AS hosts by Account_Name
| where hosts > 20
| rename src_ip AS "Source IP Performing Remote Login Attempts"

Re: Query for Suspicious Logon Behavior

johann2017 — Wed, 30 Sep 2020 03:25:11 GMT

Hello Marty. A couple of things I found when doing a test vulnerability scan which would mimic the type of behavior I want to alert on (a single IP scanning multiple IPs). I found the the remote systems attempting to be accessed show up under the field name "dest" and that the source ip of the scanner attempting to connect is under the field name "Source_Network_Address". I modified your sytax below - does it look right because I am getting zero results?

index=windows-logs (EventCode=4624 OR EventCode=4625) Source_Network_Address=* NOT src="10.1.2.23"
| stats dc(dest) AS dest by Source_Network_Address
| where dest > 20

Re: Query for Suspicious Logon Behavior

johann2017 — Fri, 20 Dec 2019 15:55:09 GMT

Actually I had a typo in my index. I think your recommendation will get me going in the right direction. I am going to keep testing with it though. Thanks!!

Re: Query for Suspicious Logon Behavior

johann2017 — Fri, 20 Dec 2019 15:59:04 GMT

@martynoconnor If I wanted to build a similar search - except this time I want to alert off a certain username trying to log on to multiple computers how would I do that? Let's say the usernames I am interested in are Administrator and Root...

Re: Query for Suspicious Logon Behavior

martynoconnor — Wed, 30 Sep 2020 03:28:23 GMT

If the usernames are important, then add them in as key=value pairs before the first pipe, and then as a second by clause for the stats(dc). Something like this:

index=windows-logs (EventCode=4624 OR EventCode=4625) Source_Network_Address=* NOT src="10.1.2.23" (user=Administrator OR user=root)
| stats dc(dest) AS dest by Source_Network_Address user
| where dest > 20

Re: Query for Suspicious Logon Behavior

johann2017 — Fri, 20 Dec 2019 19:21:13 GMT

You rock that worked too!