Password spraying search

kuriakose — Mon, 23 Aug 2021 12:53:09 GMT

Hi,

I am attempting to create a search for a password spraying attempt. I need the IP address and Hostname made with the different login names attempted to login to a particular machine within the last 5 min. Also, the number of login attempts should be more than 10.

I created the below search, but that's pulling me wrong data. A sample data am expecting is attached in the screenshot

index=win* EventCode=4625 Logon_Type=3 Target_User_Name!="" src_ip!="-" |bucket span=5m _time
|stats dc(TargetUserName) AS Unique_accounts values(TargetUserName) as tried_accounts by _time, src_ip Source_Workstation |eventstats avg(Unique_accounts) as global_avg, stdev(Unique_accounts) as global_std |eval upperBound=(comp_avg+comp_std*3) |eval isOutlier=if(Unique_accounts>10 and Unique_accounts>=upperBound, 1, 0) |sort -Unique_accounts

Thanks in advance.

Re: Password spraying search

ITWhisperer — Mon, 23 Aug 2021 13:11:08 GMT

comp_avg and comp_std don't exist, you named them global_avg and global_std in the eventstats command

Re: Password spraying search

kuriakose — Mon, 23 Aug 2021 13:33:16 GMT

I made those changes still i am not getting the result what am expecting.

Re: Password spraying search

ITWhisperer — Mon, 23 Aug 2021 13:51:30 GMT

In what way does it differ from what you expected?

topic Re: Password spraying search in Splunk Search

Password spraying search

Re: Password spraying search

Re: Password spraying search

Re: Password spraying search