Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Multi destination brute force attempt rule
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multi destination brute force attempt rule
Hi all,
I am trying to create a rule that alerts when one source IP/user tries to login in to several (more than one) different destinations/hosts but I'm struggling a bit with the syntax. I was wondering if anyone could help, this is what I've got so far:
| from datamodel:"Authentication"."Authentication"
| stats values(tag) as tag,values(app) as app,count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success, by src, user
| where failure>10
| streamstats sum(failure) as total_fails, values(user) as user, values(success) as success, values(failure) as failure by src
| stats list(failure) as fails, list(success) as success, list(user) as user, dc(user) as user_count by src, total_fails
| where user_count > 5
Any help is appreciated, thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
| from datamodel:"Authentication"."Authentication"
| stats values(tag) AS tag values(app) AS app count(eval('action'=="failure")) AS failure count(eval('action'=="success")) AS success BY src user
| multireport
[ eventstats sum(failure) AS src_fails sum(success) AS src_successes list(user) AS users dc(user) AS user_count BY src ]
[ eventstats sum(failure) AS user_fails sum(success) AS user_successes list(src) AS sources dc(src) AS src_count BY user ]
| where user_count > 5 OR src_count > 5
This keeps the raw events to examine but you can change the eventstats to stats to just keep the summary.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer, I gave it a go and it didn't do quite what I need it to do (definitely done better than my search though, I didn't even know multireport was a thing!)
My goal is to alert when a src has at least 3 failed login attempts to 3 different destinations. As if someone was on the network with a few passwords trying different machine after machine till they get in.
It's frying my brain.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
| from datamodel:"Authentication"."Authentication"
| stats values(tag) AS tag values(app) AS app count(eval('action'=="failure")) AS failureCount count(eval('action'=="success")) AS successCount BY src user
| stats sum(failureCount) AS failureCount values(dst) AS destinations dc(dst) AS dstCount
| where failureCount>=3 AND dstCount>=3
I took you literally with destinations but maybe you meant users; if so s/dst/user/g
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
