Getting Data In

Can you help me create a search that would monitor activity to our login page from a single URL?

MikeElliott
Communicator

Hi Team,

I hope that we are all well?

I'm working on a search to assist in monitoring one of our web portals. We'd like to identify instances where an IP Address has hit our login page, received a http status code of between 400 & 500, and then is never seen anywhere else on our site.

Would it be as simple as:

index=web_portal request=*/auth/connect/token* (status>=400 AND status<500) 
| search NOT 
    [ search index=web_portal request!=*/auth/connect/token* 
    | table src_ip] 
| table _time src_ip site request

Any assistance would be greatly appreciated.

Tags (2)
0 Karma
1 Solution

whrg
Motivator

Hi! So here is a search specifically for identifying users (src_ips) who have only failed login requests:

your base search | table src_ip,site,request,status
| eval is_failed_login=if(like(request,"%/auth/connect/token%") AND status>=400 AND status<500,"yes","no")
| stats count(eval(is_failed_login=="yes")) as failed_logins count(eval(is_failed_login!="yes")) as other_requests by site,src_ip
| search other_requests=0

You could save the eval expression for is_failed_login as a calculated field via Settings / Fields / Calculated fields to shorten the search.

View solution in original post

whrg
Motivator

Hi! So here is a search specifically for identifying users (src_ips) who have only failed login requests:

your base search | table src_ip,site,request,status
| eval is_failed_login=if(like(request,"%/auth/connect/token%") AND status>=400 AND status<500,"yes","no")
| stats count(eval(is_failed_login=="yes")) as failed_logins count(eval(is_failed_login!="yes")) as other_requests by site,src_ip
| search other_requests=0

You could save the eval expression for is_failed_login as a calculated field via Settings / Fields / Calculated fields to shorten the search.

MikeElliott
Communicator

Thank you! 😄

I'm normally not too bad with SPL, but for some reason, my head has been a bit awry this week!

0 Karma

whrg
Motivator

Hi, I believe that we are all well!
What exactly is the problem? Is your search not producing any results?
Perhaps you could post a couple of events. That would make it much easier for us to help.

0 Karma

MikeElliott
Communicator

Hi whrg,

Thanks for responding! I'm hesitant to post a few events because the info could be considered on the sensitive side and redacting fields will kinda kill the event - I can attempt a more verbose expectation?

The end goal is to detect "unusual" activity on our login page. We are interested in detecting where a source IP has been seen failing to login to the logon portal, but hasn't been seen anywhere else on our site.

So a "user" has attempted to authenticate, failed, and then is never seen again.

What I'm trying to achieve with this logic is see instances where a single IP Address has only ever been seen failing to authenticate to /auth/connect/token.

I hope that this helps clear things up?

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...