https://community.splunk.com/t5/Splunk-Search/Would-my-search-detect-a-malicious-user-attempting-to-connect-to/m-p/319520#M95537 <P>Sure. I wondered about that. </P> <P>Look up the eventSearch value in the search.log for your original tstats search, and see what splunk substituted for "Authentication.dest" . Use that same underlying data model item in the "list() as dest" clause.</P> Wed, 01 Mar 2017 06:13:59 GMT DalJeanis 2017-03-01T06:13:59Z https://community.splunk.com/t5/Splunk-Search/Would-my-search-detect-a-malicious-user-attempting-to-connect-to/m-p/319517#M95534 <P>Problem with this search?</P> <P>Would the following search detect a malicious user, trying to connect to multiple destinations using a specific username, but only one failed login to each destination? My understanding is that the count against one specific destination would have to be greater than 5 for this to fire an alert.</P> <PRE><CODE>| tstats `summariesonly` count from datamodel=Authentication where nodename=Authentication.Failed_Authentication by "Authentication.user","Authentication.dest" | rename "Authentication.user" as "user ","Authentication.dest" as "dest" | where 'count'&gt;5 </CODE></PRE> <P>Would it however detect an attack against say, 100 destinations, where there was just 1 failed login against each host? Someone trying to brute force a username 'Administratror' for example and fly under the &gt;5 trigger?</P> <P>Thanks.</P> Mon, 27 Feb 2017 10:44:43 GMT https://community.splunk.com/t5/Splunk-Search/Would-my-search-detect-a-malicious-user-attempting-to-connect-to/m-p/319517#M95534 jacqu3sy 2017-02-27T10:44:43Z https://community.splunk.com/t5/Splunk-Search/Would-my-search-detect-a-malicious-user-attempting-to-connect-to/m-p/319518#M95535 <P>You are correct that it would not detect such an attack. You could set up an additional search (with perhaps a different threshold for triggering) by moving the "by destination" portion of the search, something like this.</P> <PRE><CODE> | tstats `summariesonly` count list ("Authentication.dest") as "dest" from datamodel=Authentication where nodename=Authentication.Failed_Authentication by "Authentication.user" | rename "Authentication.user" as "user " | where 'count'&gt;10 </CODE></PRE> Mon, 27 Feb 2017 15:49:43 GMT https://community.splunk.com/t5/Splunk-Search/Would-my-search-detect-a-malicious-user-attempting-to-connect-to/m-p/319518#M95535 DalJeanis 2017-02-27T15:49:43Z https://community.splunk.com/t5/Splunk-Search/Would-my-search-detect-a-malicious-user-attempting-to-connect-to/m-p/319519#M95536 <P>Thanks for confirming. Much appreciated.</P> <P>I did try your alternative search but it returned;<BR /> Error in 'stats' command: The argument '(Authentication.dest)' is invalid. </P> <P>I'll play around with it. Thanks again.</P> Mon, 27 Feb 2017 16:20:26 GMT https://community.splunk.com/t5/Splunk-Search/Would-my-search-detect-a-malicious-user-attempting-to-connect-to/m-p/319519#M95536 jacqu3sy 2017-02-27T16:20:26Z https://community.splunk.com/t5/Splunk-Search/Would-my-search-detect-a-malicious-user-attempting-to-connect-to/m-p/319520#M95537 <P>Sure. I wondered about that. </P> <P>Look up the eventSearch value in the search.log for your original tstats search, and see what splunk substituted for "Authentication.dest" . Use that same underlying data model item in the "list() as dest" clause.</P> Wed, 01 Mar 2017 06:13:59 GMT https://community.splunk.com/t5/Splunk-Search/Would-my-search-detect-a-malicious-user-attempting-to-connect-to/m-p/319520#M95537 DalJeanis 2017-03-01T06:13:59Z