topic Re: Total Account lockouts > 2 within 30mins in Splunk Search

Total Account lockouts > 2 within 30mins

siddh01r — Fri, 13 Sep 2019 04:40:44 GMT

Hi There,

I am trying to find where total account lockouts that are greater than 2 within the time frame of 30 mins.
This is to find out potential malicious activity where someone is trying to possibility crack a password for an account.
our lockout threshold is 15 mins and it gets unlocked. This way I can see if someone possibly has tried to log into an account more than 2 times and locked an account in 30 mins.

Here is my query which gives me total results >2, but i am not sure how to specify the timeframe of 30 mins in the query.
Any help would be appreciated.

description="Account Lockouts" EventCode=4740 user="*" host=primarydc
| stats count as total by user, host
| where total > 2

Re: Total Account lockouts > 2 within 30mins

gcusello — Fri, 13 Sep 2019 11:17:13 GMT

Hi siddh01r,
if you need to create an alert, you can use your search putting as time period:

earliest=-30m latest=now

and schedule this alert every 30 minutes.

if you want to create a panel, you could use timechart command:

description="Account Lockouts" EventCode=4740 user="*" host=primarydc
| eval col=user." ".host
| timechart span=30m count as total by col
| where total > 2

P.S.: use always index in your searches, it's faster.

Bye.
Giuseppe

Re: Total Account lockouts > 2 within 30mins

siddh01r — Sun, 15 Sep 2019 22:26:10 GMT

Thank you so much Guiseppe. Great help.
Question - what is the below used for, can you please give me some context?

| eval col=user." ".host

also,
When I use that query, I see that there are events but I get no statistical table with results i.e "0 statistics".

Cheers
Sid

Re: Total Account lockouts > 2 within 30mins

gcusello — Mon, 16 Sep 2019 07:18:42 GMT

About the first question, you have to create a timechart with two parameterts, user and host, but timechart can take only one parameter, in thjis way you can use two parameters in timechart.

About the second question, if you use | where total>2, you add a filter for your Alert: in this way, if you have results, alert is triggered otherwise not.
If instaed you want to use this search in a panel, you can remove the filter and see all the results.

Bye.
Giuseppe

Re: Total Account lockouts > 2 within 30mins

maciep — Mon, 16 Sep 2019 10:59:41 GMT

you may want to run this more often, maybe every 5 minutes and find a way to deal with dups. Or run it over a longer period and use delta to find the time between alerts. If you run it every 30, you could miss failed attempts that cross timespans.

For example, if it runs on the 0 &30 minute mark and attempts fail on the 57 and 02 minute marks. The first run at the 0 min would only see the attempt at 57 and the run at the 30 mark would only see the attempt at 2nd minute. And so even though the attempts are 5 minutes apart, your alert would miss them.