Alerting

Attempting to Track authentications from a single src to many destinations within a time period

bavituity
New Member

This is the current query,  but it's  not really providing the needed data for the search.

index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3

| transaction src maxspan=10m maxpause=2m

| stats dc(dest) as Dest_Count, values(dest) as Target_Systems by src

| search Dest_Count >35

| sort - Dest_Count

I really don't care about the Dest_Count >35 it was  and attempt to gather something  to start with. I was told to research the transaction command to obtain the required results.

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The transaction command may help, but not with those options.

| transaction src maxspan=10m maxpause=2m

says to combine events with the same value in the src field and to close the transaction after 10 minutes or if there is a gap of at least 2 minutes between events.  That doesn't meet the requirements as I understand them.  Perhaps this will get you closer:

index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| transaction src maxspan=2m
| where eventcount > 10
| sort - eventcount 

Be warned that transaction is an inefficient command.  A faster method uses streamstats (adapted from https://community.splunk.com/t5/Splunk-Search/Multiple-Login-Failure-Attempts/td-p/325933)

index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| streamstats time_window=2m dc(dest) AS Dest_Count BY src 
| where Dest_Count >= 10
| sort - Dest_Count
---
If this reply helps you, Karma would be appreciated.
0 Karma

bavituity
New Member

How would I combine this output to look similar to this, as and example . I may have selected the wrong options, but the requirements are still the same.

SRC(Source System)                                                                                      Dest_count                     Target_Systems 

Host123                                                                                                                     5                                              Hosta

                                                                                                                                                                                         Hostb

                                                                                                                                                                                         Hostc

                                                                                                                                                                                        Hostd

                                                                                                                                                                                        Hoste

                                                                                                                                                                                        Hoste

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this.  The stats command does the grouping you seek.

index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| streamstats time_window=2m dc(dest) AS Dest_Count BY src 
| where Dest_Count >= 10
| stats values(Dest_Count) as Dest_Count, values(dest) as Target_Systems by src
| sort - Dest_Count
---
If this reply helps you, Karma would be appreciated.
0 Karma

bavituity
New Member

Thanks for your response,

The required results is to determine if a system singe system was logging into multiple systems within a time period.  If system credentials were compromised they may be logging into multiple systems within a time span.  I understand event 4624 is a legitimate log, but it may  indicate a possible issue if logging from the same system into multiple devices. I really don't need the | where Dest_Count >35. I need to know for example within 2 minutes if  10 successful logins from the same system. That's why I was attempting to use the | transaction src maxspan=10m maxpause=2m.  I hope that clears up the requirements.

0 Karma

bavituity
New Member

Thanks for your response,

The required results is to determine if a system singe system was logging into multiple systems within a time period.  If system credentials were compromised they may be logging into multiple systems within a time span.  I understand event 4624 is a legitimate log, but it may  indicate a possible issue if logging from the same system into multiple devices. I really don't need the | where Dest_Count >35. I need to know for example within 2 minutes if  10 successful logins from the same system. That's why I was attempting to use the | transaction src maxspan=10m maxpause=2m.  I hope that clears up the requirements.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It would help if you said what the required results are, but I think the transaction command is not needed.  Try this query, which assumes the dest and src fields already exist.

index=main sourcetype=XmlWinEventLog EventCode=4624 Logon_Type=3
| stats dc(dest) as Dest_Count, values(dest) as Target_Systems by src
| where Dest_Count >35
| sort - Dest_Count

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...