- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Re: Alerting on a one to many relationship
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alerting on a one to many relationship
Hello,
I am trying to alert on failed login attempts in two scenarios:
- When multiple IPs try and log into the same email
- When one IP tries to log into multiple emails
My search string for 1 is as follows:
sourcetype="backend" | regex "User with email .* used an invalid password." | rex "User with email (?<email>.*) used an invalid password." | rex "client_ip=(?<client_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)" | transaction email maxspan=1000s | search eventcount > 5 | stats count(eval(client_ip)) as IPCount by email | where IPCount > 1
My search string for 2:
sourcetype="backend" | regex "User with email .* used an invalid password." | rex "User with email (?<email>.*) used an invalid password." | rex "client_ip=(?<client_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)" | transaction client_ip maxspan=1000s | search eventcount > 2 | stats values(email), count(eval(email)) as EmailCount by client_ip | where EmailCount > 1
Both of these alert on "per result." They work as expected (the first sends an email showing one email and multiple IPs); however, when I increase either where IPCount > x or where EmailCount > x to anything greater than 1, I start to receive a flood of emails where there's only a one to one relationship (one email one IP). The email also leaves the "values(email)" column blank.
How can I do a search/ alert to achieve my desired goal?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of using | stats count(eval(client_ip)) as IPCount by email, try using | stats dc(client_ip) as IPCount by email (same for other query).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The new search (below) is spamming my inbox again with results that don't map multiple emails to one IP as expected. Alerts return with a single email and single IP. The values(email) and EmailCount rows are left blank.
sourcetype="backend" | regex "User with email .* used an invalid password." | rex "User with email (?<email>.*) used an invalid password." | rex "client_ip=(?<client_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)" | transaction client_ip maxspan=1000s | search eventcount > 2 | stats values(email), dc(email) as EmailCount by client_ip | where EmailCount > 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this a real-time search or regular/historic search? Do you always want to consider attempt within 1000 seconds as valid failed attempt OR this can be any duration? What's the time range you're using?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a real time search. 1000 seconds is just for debugging. This can be any duration right now. Not using a time range.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If this can be any duration, give this a try.
sourcetype="backend" | regex "User with email .* used an invalid password." | rex "User with email (?<email>.*) used an invalid password." | rex "client_ip=(?<client_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)" | stats values(email), dc(email) as EmailCount by client_ip | where EmailCount > 2
Also, once per result option is available with regular/historical search as well, so do you think you can run a regular, more frequently alert, instead of using real-time alert? The real-time searches are expensive.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I could, I just want to get the real-time approach working first. I just tried the above example and got a bunch of inaccurate alerts again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try it with regular search?
Even with real-time there should be a time window that you must be looking at, what is it (may be look at job inspector to see what time range is being applied).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I tried it with regular search and nothing came up. However, for the above search strings, even with a IPCount / EmailCount > 2, the realtime results are correct but the email alerts are wrong.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks I'll try it out. Can you explain the difference as to why count() wouldn't work but dc() would?
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
