Getting Data In

Can you help me create a search that would monitor activity to our login page from a single URL?

MikeElliott
Communicator

Hi Team,

I hope that we are all well?

I'm working on a search to assist in monitoring one of our web portals. We'd like to identify instances where an IP Address has hit our login page, received a http status code of between 400 & 500, and then is never seen anywhere else on our site.

Would it be as simple as:

index=web_portal request=*/auth/connect/token* (status>=400 AND status<500) 
| search NOT 
    [ search index=web_portal request!=*/auth/connect/token* 
    | table src_ip] 
| table _time src_ip site request

Any assistance would be greatly appreciated.

Tags (2)
0 Karma
1 Solution

whrg
Motivator

Hi! So here is a search specifically for identifying users (src_ips) who have only failed login requests:

your base search | table src_ip,site,request,status
| eval is_failed_login=if(like(request,"%/auth/connect/token%") AND status>=400 AND status<500,"yes","no")
| stats count(eval(is_failed_login=="yes")) as failed_logins count(eval(is_failed_login!="yes")) as other_requests by site,src_ip
| search other_requests=0

You could save the eval expression for is_failed_login as a calculated field via Settings / Fields / Calculated fields to shorten the search.

View solution in original post

whrg
Motivator

Hi! So here is a search specifically for identifying users (src_ips) who have only failed login requests:

your base search | table src_ip,site,request,status
| eval is_failed_login=if(like(request,"%/auth/connect/token%") AND status>=400 AND status<500,"yes","no")
| stats count(eval(is_failed_login=="yes")) as failed_logins count(eval(is_failed_login!="yes")) as other_requests by site,src_ip
| search other_requests=0

You could save the eval expression for is_failed_login as a calculated field via Settings / Fields / Calculated fields to shorten the search.

MikeElliott
Communicator

Thank you! 😄

I'm normally not too bad with SPL, but for some reason, my head has been a bit awry this week!

0 Karma

whrg
Motivator

Hi, I believe that we are all well!
What exactly is the problem? Is your search not producing any results?
Perhaps you could post a couple of events. That would make it much easier for us to help.

0 Karma

MikeElliott
Communicator

Hi whrg,

Thanks for responding! I'm hesitant to post a few events because the info could be considered on the sensitive side and redacting fields will kinda kill the event - I can attempt a more verbose expectation?

The end goal is to detect "unusual" activity on our login page. We are interested in detecting where a source IP has been seen failing to login to the logon portal, but hasn't been seen anywhere else on our site.

So a "user" has attempted to authenticate, failed, and then is never seen again.

What I'm trying to achieve with this logic is see instances where a single IP Address has only ever been seen failing to authenticate to /auth/connect/token.

I hope that this helps clear things up?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...