All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can the Splunk Machine Learning Toolkit be used to help identify a cluster of failed logins on Windows and Unix servers?

jeremybe
New Member
‎11-02-2017 12:01 PM

Can the Splunk Machine Learning Toolkit be utilized to help identify a cluster of failed logins on Windows and Unix Servers? I'm trying to find a use case to help demonstrate the capabilities in an IT Security/Analytics context and this is all very new to me.

Thanks

0 Karma
Reply

aoliner_splunk
Splunk Employee
Splunk Employee
‎11-06-2017 12:19 PM

You can do both without the Splunk Machine Learning Toolkit, though you may find the Toolkit's Detect Numeric Outliers assistant helpful.

Start by identifying the failed logins. This is specific to your environment and there are many examples online:
http://gosplunk.com/repeated-unsuccessful-logon-attempts-in-linux/

I'll assume you've gotten to the point where you have the following fields: _time, host, username. If you want to use the Toolkit, you can send that through timechart to aggregate by some span (say, every 5 minutes) and bring that data into the Detect Numeric Outliers assistant:

... | table _time, host, username | timechart span=5m count

Then, simply look for outliers in the number of failed logins. If you want to do this per host or per user, add that field in the split-by field in the assistant and you're done!

As for login attempts in rapid succession, a short span will detect that, or you could use streamstats to compute the time between login attempts and look for outliers there.

Reply

aoliner_splunk
Splunk Employee
Splunk Employee
‎11-02-2017 02:48 PM

Could you please elaborate on what you mean by a 'cluster'? Do you mean sets of systems that had failed logins around the same time? Do you mean sets of login attempts (on any system) that happened in rapid succession? Do you mean failed logins (on any system, at any time) that had similar characteristics? Etc.

0 Karma
Reply

jeremybe
New Member
‎11-06-2017 06:23 AM

Sorry! Actually, the first two scenarios you had mentioned - Both failed logins around the same time and login attempts on any systems that happened in rapid succession.

Thank you for your help!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...