Multisearch - Brute Force Attempts for both Linux and Windows


I am trying to create an alert to monitor for brute force attempt behavior for both linux and windows systems using a multisearch to stack my queries. I currently use the following query for Linux but do not have a goto windows alert that works and had a hard time finding one on answers...

Linux system Brute Force query :

sourcetype="linux_secure" process=sshd "password for" | rex field=_raw "(?<result>Accepted|Failed) password for (?<user>\w+) from (?<src>[0-9A-Fa-f:\.]+)" |eval success=if(result=="Failed",0,1), fail=if(result=="Failed",1,0) |stats range(_time) as range_secs sum(success) as success, sum(fail) as fail by host src |where fail!=0 |eval fail_rate_in_seconds=round(range_secs/fail,2) |where fail>10 AND success>0 | iplocation src |table host src success fail fail_rate_in_seconds Country
0 Karma


Hi johnward4,
I suggest to use eventtype or tags:
create an eventtype for windows (e.g. win_log_fail tag=LOGFAIL)

index=wineventlog sourcetype=WinEventLog:Security (EventCode=4625 OR EventCode=529)

and an eventtype for linux (e.g. linux_log_fail tag=LOGFAIL)

index=linux sourcetype=linux "error: PAM: Authentication failure for "

so you can have in the same search both the results and you can count failures for each host without distinction between linux and windows:

| ...

If you want to extract a field, you can do this for each sourcetype and then correlate them using coalesce function in eval command.


0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out &gt;&gt; As our brave ...