topic Re: Question regarding brute force query in Splunk Search

Question regarding brute force query

rahul_mckc_splu — Mon, 14 May 2018 12:20:35 GMT

Please see this query for brute force detection-
index="wineventlog" sourcetype=wineventlog:security | search (EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR EventCode=4768 OR EventCode=4769 OR EventCode=4771 OR EventCode=4776) | stats dc(action) as Attempts, count(eval(match(action,"failure"))) as Failed, count(eval(match(action,"success"))) as Success values(src) as src by user dest |where Attempts>1 AND Failed>10 AND Success>0.....
So now whats happening i am getting results for failed>10 and success>0 but there could be scenario where 1st event would be success followed by 10 failures thats also coming but we dont want that .....its not brute force attack ....how i can accomplish first 10 events of failed followed by 11th event of success.

Re: Question regarding brute force query

DalJeanis — Mon, 14 May 2018 14:38:03 GMT

Here's one way -

index="wineventlog" sourcetype=wineventlog:security
(EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR 
 EventCode=4768 OR EventCode=4769 OR EventCode=4771 OR 
 EventCode=4776) 
| stats dc(action) as Attempts, 
        count(eval(match(action,"failure"))) as Failed, 
        count(eval(match(action,"success"))) as Success 
        max(eval(case(match(action,"failure"),_time))) as lastFailed
        max(eval(case(match(action,"success"),_time))) as lastSuccess
        values(src) as src by user dest 
| where Attempts>1 AND Failed>10 AND Success>0
| where lastFailed < lastSuccess

This would work for what you asked for, but I'm not sure it really meets the business need.

Think about it this way - your actual employee or client could be trying to use his account as well during any given time frame, so a success that is unrelated to the brute force attack could be coincidentally in the time frame of your search.

It seems like, if there are ten failures, THEN you need to analyze the successes in light of the failures. Let me see if I can put something like that together.

Okay, this version is going to give you much closer to what you need.

index="wineventlog" sourcetype=wineventlog:security
(EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR 
 EventCode=4768 OR EventCode=4769 OR EventCode=4771 OR 
 EventCode=4776) 
| eventstats count(eval(match(action,"failure"))) as Failed, 
        count(eval(match(action,"success"))) as Success 
        by user dest 
| where Failed >= 10  AND Success > 0
| rename COMMENT as "The above gets rid of all events that are obviously not matches"


| rename COMMENT as "Sort into order, then add up strings of failures or successes"
| sort 0 user dest _time 
| streamstats reset_on_change=t count as UDcount by user dest action

| rename COMMENT as "Copy the prior record info, then test for a success after 10+ failures"
| streamstats current=f last(UDcount) as prevUDcount last(action) as prevAction by user dest
| eval KeepMe=case(action="success" AND prevAction="failure" AND prevUDcount >=10,"KeepMe")

| eventstats max(KeepMe) as KeepAll by user dest
| where KeepAll="KeepMe"

At this point, you have all events for any suspicious combo of user and dest retained together. The one success after a long row of failures will be marked with KeepMe="KeepMe", and the rest will be marked with KeepAll="KeepMe".

Re: Question regarding brute force query

rahul_mckc_splu — Mon, 14 May 2018 16:49:28 GMT

where lastFailed < lastSuccess is giving all failed followed by success ....(it is going wrong here)--if i have 100 success then i have 10 failures then again i have 100 success so this condition for where lastFailed < lastSuccess is true...

I mean i should be true only when we first have failures followed by success not.... success then failures then again success...

Re: Question regarding brute force query

rahul_mckc_splu — Tue, 15 May 2018 08:17:30 GMT

please do the needful