Archive

"When X, Y and Z happens in 5 minutes, fire alert"

Engager

I'm trying to write a use case to detect potentially suspicious activity based around 2FA attempt logs. Basically I want to look for 2FA failures where the same user had a "bad passcode", "request timed out" and "user cancelled" failure reason all within 5 minutes, since this behavior would correlate to some suspicious activity we've seen recently. I can't find much guidance for building this online though I suspect it can be achieved via the streamstats or transaction command.

Anyone have any clues on how this might be done?

sourcetype="2FA_logs"
result=FAILURE
reason="Invalid Passcode" OR reason="No response" OR reason="User cancelled"
alert --> any time a user has all three events in 5 minutes

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

username contains in the same sourcetype? If you username and reason/result are in different index/sourcetype then what is the common field value in order to match this ?
If you could provide sample event then it would be better.

Engager

It would all be from the same sourcetype, in this case "sourcetype=2FA_logs". Will work on grabbing some sanitized log examples.

0 Karma

SplunkTrust
SplunkTrust

then this query would work

sourcetype="2FA_logs" 
result=FAILURE 
reason="Invalid Passcode" OR reason="No response" OR reason="User cancelled" | stats dc(reason) as events by user | where events>=3

after this save this search as an alert and schedule it for every 5 min.
let me know if this helps!

0 Karma

SplunkTrust
SplunkTrust

My initial thoughts are, you should create a table with all your metrics, split by user. You should then assign a value to each metric, so yes=1 and no=0. You should then sum those values, and if the summed values equal the total number of metrics then it will clearly show the user affected.

0 Karma