Dashboards & Visualizations

Failed Login Anomalies detection - EventCode=4625

David_Shoshany
Explorer

Hello
I have the following fields on EventCode=4625 (failed login events),
Fields:
_time, Source_Network_Address,Account_Name,Workstation Name,EventCode

And i want to create anomaly creation rules based on the source address field, to check if there is a relative high amount of failed login from the same source address.

I am currently using a static threshold (...| where count > 50) but i want it to be dynamic to the week,weekends / morning night changes.
Anyone can give me some direction or a query example?

Thanks

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @David_Shoshany ,

if a division between working days and weekends is suffient for you, my solution can solve your problem.

if instead you want a threeshold variable ob basis the last week, it's just a little more complicated:

  • you could run every week a statistic on the results of the previous week,
  • extract the daily threeshold as a percentage of these results,
  • write them in a lookup,
  • use these values in the alert.

There's only one problem: holidays.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @David_Shoshany ,

which kind of dinamicity are you thinking?

if one for working days (e.g. 50) and one for weekend (e.g. 20) it's easy, you should add to your search this row:

| eval threeshold=if(date_wday="saturday" OR date_wday="sunday",20,50)

if you want to manage also holydays it's more complicate because you should create a lookup containing all the year's days.

Ciao.

Giuseppe

 

  

0 Karma

David_Shoshany
Explorer

Hi i would like the query to consider the changes throughout the week in green
9e56893e-2755-4f0e-a36e-4702fc80a5c9 (1).jpg
Which mean that the threshold would be dynamic, not static (red line)

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @David_Shoshany ,

if a division between working days and weekends is suffient for you, my solution can solve your problem.

if instead you want a threeshold variable ob basis the last week, it's just a little more complicated:

  • you could run every week a statistic on the results of the previous week,
  • extract the daily threeshold as a percentage of these results,
  • write them in a lookup,
  • use these values in the alert.

There's only one problem: holidays.

Ciao.

Giuseppe

View solution in original post

David_Shoshany
Explorer

@gcusello  thank you.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @David_Shoshany 

you can use the timewrap command to compare a value with the previous (one week, day, month, etc...), and you could use it, but the problem is that in this case you have to search on a long time frame and many events, this means long time for the results, to have a value that you can extract once a week and reuse always the same (until the next schedulated search).

Ciao and next time.

Giuseppe

P.S. Karma Points are appreciated.

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!