Alerting

Splunk Alert creation for 5 Unsuccessful Login attempt from same source and same destination?

rajuljain_mc
New Member

Sample log-
Cisco ACS Authentication Failed
Nov 3 08:21:13 REL-DC-MSTCRD-ACS CSCOacs_Failed_Attempts 0001982755 2 0 2017-11-03 08:21:13.484 +05:30 0038659009 5401 NOTICE Failed-Attempt:
Authentication failed, ACSVersion=acs-5.8.1.4-B.462.x86_64, ConfigVersionId=53, Device IP Address=10.150.0.5, Device Port=44041,
DestinationIPAddress=172.20.1.200, DestinationPort=49, UserName=mvparam, Protocol=Tacacs, RequestLatency=141, Type=Authentication, Action=Login,
Privilege-Level=15, Authen-Type=ASCII, Service=Enable, User=rajul, Port=39, Remote-Address=172.20.1.152, UserName=rajul,
AcsSessionID=REL-DC-MSTCRD-ACS/278522990/2009452, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII,
SelectedAccessService=IMC-Access, IdentityGroup=IdentityGroup:All Groups:IMC-L2G, FailureReason=22004 , Step=13013 , Step=15008 , Step=15004 ,
Step=15012 , Step=15041 , Step=15006 , Step=15013 , Step=24210 , Step=24212 , Step=13045 , Step=13015 , Step=13014 , Step=15037 , Step=15041 ,
Step=15006 , Step=15013 , Step=24210 , Step=24212 , Step=22004

Query-index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed"

Stuck after this query, help to write rule please?

0 Karma

hardikJsheth
Motivator

In case you want to take time in consideration as well to check for consecutive unsuccessful login attempts, either you can use timechar command or add bin command to the query as follows:

index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed" | bin _time span=5m| stats count by DestinationIPAddress, Remote-Address, UserName | where count > 5
0 Karma

harsmarvania57
Ultra Champion

Hi

Can you please try this query ?

index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed" | stats count by DestinationIPAddress, Remote-Address, UserName | where count > 5

EDIT: Or may be below query because I don't know which is your source and destination IPs, you can change your source and destionation IP field in given query.

    index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed" | stats count by DestinationIPAddress, "Device IP Address", UserName | where count > 5

Thanks,
Harshil

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...