Getting Data In

Password Spraying alert from Windows Event Logs

pdumblet
Explorer

I am attempting to set an alert to monitor for possible password spraying in my AD environment.

I am using windows security event logs and specifically eventcode 4625.

I have created the following search string that does give me a count of events by host, by userid so I can see which hosts are generating failed login events.

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10
| sort -EvtCounts
| eval EvtCatCnt = user." (".EvtCounts.")"
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost
| sort -Total_Events

| eval clienthost = clienthost." (".Total_Events.")"
| table clienthost, user

I am now trying to limit the results to only show host that have more than 1 user with failed login events. I am not sure how to limit the initial search with a stats count by host, user where count >= 2 and count < 10 then pass those results to another stats count.

Any suggestions would be appreciated.

0 Karma
1 Solution

maciep
Champion

Having a bit of trouble picturing this all the way through, but you probably have a few options (typically the case with Splunk). Maybe you could use eventstats to get a distinct count of users.

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip 
| stats count as EvtCounts by user, clienthost
| eventstats dc(user) as userCount by clienthost
| where EvtCounts <= 10 AND userCount > 1
...

Or maybe use mvcount a little later in your search to filter on that mv user field?

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip 
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10 
| sort -EvtCounts 
| eval EvtCatCnt = user." (".EvtCounts.")" 
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost 
| where mvcount(user) > 1
...

View solution in original post

0 Karma

maciep
Champion

Having a bit of trouble picturing this all the way through, but you probably have a few options (typically the case with Splunk). Maybe you could use eventstats to get a distinct count of users.

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip 
| stats count as EvtCounts by user, clienthost
| eventstats dc(user) as userCount by clienthost
| where EvtCounts <= 10 AND userCount > 1
...

Or maybe use mvcount a little later in your search to filter on that mv user field?

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip 
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10 
| sort -EvtCounts 
| eval EvtCatCnt = user." (".EvtCounts.")" 
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost 
| where mvcount(user) > 1
...
0 Karma

pdumblet
Explorer

Using your first suggestion worked. Now I am only seeing hosts with more than a single user account login failure. Thank you.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...