Splunk Search

Search for Suspicious Logon Behavior

johann2017
Explorer

Hello there. I want to build a query that alerts off when a single source IP or source computer is attempting to logon to multiple computers (Event Code's 4624 and 4625). How can I go about this?

I tried with the query below but its not differentiating single to many logon attempts, it is returning also single to single attempts which is not what I want.

index=windows-logs (EventCode=4624 OR EventCode=4625) src_ip=* src!=10.1.2.23 | top Account_Name, src_ip limit=0 countfield="Total" showperc=f | where Total > 20 | rename src_ip AS "Source IP Performing Remote Login Attempts"

Tags (1)
0 Karma
1 Solution

martynoconnor
Communicator

Something like this?

index=windows-logs (EventCode=4624 OR EventCode=4625) src_ip=* NOT src="10.1.2.23"
| stats dc(host) AS hosts by Account_Name
| where hosts > 20
| rename src_ip AS "Source IP Performing Remote Login Attempts"

View solution in original post

0 Karma

martynoconnor
Communicator

Something like this?

index=windows-logs (EventCode=4624 OR EventCode=4625) src_ip=* NOT src="10.1.2.23"
| stats dc(host) AS hosts by Account_Name
| where hosts > 20
| rename src_ip AS "Source IP Performing Remote Login Attempts"

0 Karma

johann2017
Explorer

Hello Marty. A couple of things I found when doing a test vulnerability scan which would mimic the type of behavior I want to alert on (a single IP scanning multiple IPs). I found the the remote systems attempting to be accessed show up under the field name "dest" and that the source ip of the scanner attempting to connect is under the field name "Source_Network_Address". I modified your sytax below - does it look right because I am getting zero results?

index=windows-logs (EventCode=4624 OR EventCode=4625) Source_Network_Address=* NOT src="10.1.2.23"
| stats dc(dest) AS dest by Source_Network_Address
| where dest > 20

0 Karma

johann2017
Explorer

Actually I had a typo in my index. I think your recommendation will get me going in the right direction. I am going to keep testing with it though. Thanks!!

0 Karma

johann2017
Explorer

@martynoconnor If I wanted to build a similar search - except this time I want to alert off a certain username trying to log on to multiple computers how would I do that? Let's say the usernames I am interested in are Administrator and Root...

0 Karma

martynoconnor
Communicator

If the usernames are important, then add them in as key=value pairs before the first pipe, and then as a second by clause for the stats(dc). Something like this:

index=windows-logs (EventCode=4624 OR EventCode=4625) Source_Network_Address=* NOT src="10.1.2.23" (user=Administrator OR user=root)
| stats dc(dest) AS dest by Source_Network_Address user
| where dest > 20

0 Karma

johann2017
Explorer

You rock that worked too!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...