topic How to search for 5 failed logins followed by 1 successful login from one user to find brute force attacks? in Splunk Search

How to search for 5 failed logins followed by 1 successful login from one user to find brute force attacks?

sumit29 — Mon, 21 Dec 2015 21:37:33 GMT

Dear Experts,

Kindly help to create a search for 5 failed logins followed by 1 successful login from one user.

Interesting fields = user(Username) , action(Success Or Failed)

index=* | ....

Thanks in advanced

Re: How to search for 5 failed logins followed by 1 successful login from one user to find brute force attacks?

Murali2888 — Mon, 21 Dec 2015 23:37:20 GMT

Hi sumit29,

Can you try the following?

index=* | stats list(Action) as Attempts, count(eval(match(Action,"Failed"))) as Failed, count(eval(match(Action,"Success"))) as Success by Username | where mvcount(Attempts)>=6 AND Success=1 AND Failed>=5

Re: How to search for 5 failed logins followed by 1 successful login from one user to find brute force attacks?

miteshvohra — Tue, 22 Dec 2015 04:11:06 GMT

In case, you are using the Common Information Model, then you can start your search as tag=Authentication. This will invoke the data from across all "relevant" indexes and will be much faster in returning results.

Re: How to search for 5 failed logins followed by 1 successful login from one user to find brute force attacks?

lakshman239 — Wed, 31 Aug 2016 19:03:58 GMT

Thanks. That works.

Re: How to search for 5 failed logins followed by 1 successful login from one user to find brute force attacks?

thambisetty_bal — Mon, 16 Jan 2017 07:58:32 GMT

HI Murali,

What if there would be multiple success events after 5 failed attempts? if that happens , success always will be greater than 1 then search returns 0 results. how to deal with this situation?

Re: How to search for 5 failed logins followed by 1 successful login from one user to find brute force attacks?

erdalcan — Tue, 09 May 2017 06:01:19 GMT

That does seem to work, but it doesn't take the time sequence in consideration , how can I order the events in order of time? I first want to see 5 failed loggings followed by a successful login, and not 6 total loggings where there is a successful login in between somewhere

Re: How to search for 5 failed logins followed by 1 successful login from one user to find brute force attacks?

lakshman239 — Wed, 17 May 2017 09:09:36 GMT

In how many mins, do you want to see the failed login followed by successful logon? if you schedule the above search within that time frame, it should help in you in what you need. Alternatively, you could also use streamstats to get the running total for a given period.

Re: How to search for 5 failed logins followed by 1 successful login from one user to find brute force attacks?

erdalcan — Wed, 17 May 2017 09:47:56 GMT

I have already added a time field (10 minutes), but it seems this query searches in the given timeframe and looks for the total failed and one successful event, without taking the time sequence in which order they came.
for example, I run the query and see users who have logged in this sequence:
1. failure
2. success
3. failure
4. failure
5. failure
6. failure

The query should only look for the first 5 failed loggings followed by a successful, but
it looks in total of loggings within a timeframe

wonder if this is easy to do with the enterprise security app, there you do have brute force queries but none of them contain the successful brute force attacks