Getting Data In

Password Spraying alert from Windows Event Logs

pdumblet
Explorer

I am attempting to set an alert to monitor for possible password spraying in my AD environment.

I am using windows security event logs and specifically eventcode 4625.

I have created the following search string that does give me a count of events by host, by userid so I can see which hosts are generating failed login events.

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10
| sort -EvtCounts
| eval EvtCatCnt = user." (".EvtCounts.")"
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost
| sort -Total_Events

| eval clienthost = clienthost." (".Total_Events.")"
| table clienthost, user

I am now trying to limit the results to only show host that have more than 1 user with failed login events. I am not sure how to limit the initial search with a stats count by host, user where count >= 2 and count < 10 then pass those results to another stats count.

Any suggestions would be appreciated.

0 Karma
1 Solution

maciep
Champion

Having a bit of trouble picturing this all the way through, but you probably have a few options (typically the case with Splunk). Maybe you could use eventstats to get a distinct count of users.

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip 
| stats count as EvtCounts by user, clienthost
| eventstats dc(user) as userCount by clienthost
| where EvtCounts <= 10 AND userCount > 1
...

Or maybe use mvcount a little later in your search to filter on that mv user field?

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip 
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10 
| sort -EvtCounts 
| eval EvtCatCnt = user." (".EvtCounts.")" 
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost 
| where mvcount(user) > 1
...

View solution in original post

0 Karma

maciep
Champion

Having a bit of trouble picturing this all the way through, but you probably have a few options (typically the case with Splunk). Maybe you could use eventstats to get a distinct count of users.

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip 
| stats count as EvtCounts by user, clienthost
| eventstats dc(user) as userCount by clienthost
| where EvtCounts <= 10 AND userCount > 1
...

Or maybe use mvcount a little later in your search to filter on that mv user field?

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip 
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10 
| sort -EvtCounts 
| eval EvtCatCnt = user." (".EvtCounts.")" 
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost 
| where mvcount(user) > 1
...
0 Karma

pdumblet
Explorer

Using your first suggestion worked. Now I am only seeing hosts with more than a single user account login failure. Thank you.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...