topic Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations? in Splunk Search

Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

jacqu3sy — Fri, 17 Feb 2017 14:14:00 GMT

I have the following search and I'm not certain it's producing the correct results. The idea is to use it to detect brute force attempts whereby 1 source device attempts to connect to multiple destinations over a 1 second period making use of the Authentication datamodel, specifically for failed logins.

Current search looks as follows;

| tstats `summariesonly` count from datamodel=Authentication where nodename=Authentication.Failed_Authentication  Authentication.app!="win:unknown" by "Authentication.src","Authentication.dest" | rename "Authentication.src" as "Source_Device" | bucket _time span=1s | stats dc("Authentication.dest") as Destination_Device by Source_Device | where Destination_Device > 20

But I'm not certain it's producing results of failed connections over a period of time, say 30 days, or the results were all failed login attempts carried out over a 1 second period as per the use of the bucket _time span=1s statement. The idea is to make the search into an alert to detect brute force attacks against multiple destinations.

Any thoughts?

Many thanks in advance!

Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

jpolcari — Fri, 17 Feb 2017 14:22:07 GMT

Have you looked at the events to confirm you have some instances where there were 20 attempts to different machines from the same source host within the same second?

Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

somesoni2 — Fri, 17 Feb 2017 14:22:12 GMT

Try like this

Updated

| tstats summariesonly values("Authentication.dest") as Destination_Device from datamodel=Authentication where nodename=Authentication.Failed_Authentication Authentication.app!="win:unknown" by "Authentication.src" _time span=1s| rename "Authentication.src" as "Source_Device"  | where Destination_Device > 20

Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

DalJeanis — Fri, 17 Feb 2017 15:22:28 GMT

Don't you need

...by Source_Device _time ...

in the final stats command?

Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

somesoni2 — Fri, 17 Feb 2017 15:35:44 GMT

Thanks Dal. Yes I do. In fact that gave me an idea to avoid the send stats all together.

Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

jacqu3sy — Fri, 17 Feb 2017 15:43:21 GMT

so ditch the 'bucket' altogether?

Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

somesoni2 — Fri, 17 Feb 2017 15:47:15 GMT

The bucketing is happening as part of tstats command itself (include _time in the by clause and a span at the end of the tstats).

Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

jacqu3sy — Fri, 17 Feb 2017 16:18:55 GMT

Ok that makes sense, slightly confused though, is Dal's ...by Source_Device needed as well? And would this go in an additional | stats search?

Sorry, new to Splunk. Slowly getting there.

Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

somesoni2 — Fri, 17 Feb 2017 16:25:49 GMT

In general, you fetch required events in base search (anything before first pipe) and then you aggregate the results using stats/timechart or any other similar command. Whereas, tstats is a special command which let you do both, fetching and aggregation, in the same command itself. Since you were doing a simple stats, with bucketing based on _time, I was able to bundle that as single tstats command. I would check the results (without where clause) first and then add more aggragation, if required.

Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

jacqu3sy — Fri, 17 Feb 2017 16:46:09 GMT

Awesome. Thanks for your help.