- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Password Spraying alert from Windows Event Log...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am attempting to set an alert to monitor for possible password spraying in my AD environment.
I am using windows security event logs and specifically eventcode 4625.
I have created the following search string that does give me a count of events by host, by userid so I can see which hosts are generating failed login events.
sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10
| sort -EvtCounts
| eval EvtCatCnt = user." (".EvtCounts.")"
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost
| sort -Total_Events
| eval clienthost = clienthost." (".Total_Events.")"
| table clienthost, user
I am now trying to limit the results to only show host that have more than 1 user with failed login events. I am not sure how to limit the initial search with a stats count by host, user where count >= 2 and count < 10 then pass those results to another stats count.
Any suggestions would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having a bit of trouble picturing this all the way through, but you probably have a few options (typically the case with Splunk). Maybe you could use eventstats to get a distinct count of users.
sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip
| stats count as EvtCounts by user, clienthost
| eventstats dc(user) as userCount by clienthost
| where EvtCounts <= 10 AND userCount > 1
...
Or maybe use mvcount a little later in your search to filter on that mv user field?
sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10
| sort -EvtCounts
| eval EvtCatCnt = user." (".EvtCounts.")"
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost
| where mvcount(user) > 1
...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having a bit of trouble picturing this all the way through, but you probably have a few options (typically the case with Splunk). Maybe you could use eventstats to get a distinct count of users.
sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip
| stats count as EvtCounts by user, clienthost
| eventstats dc(user) as userCount by clienthost
| where EvtCounts <= 10 AND userCount > 1
...
Or maybe use mvcount a little later in your search to filter on that mv user field?
sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10
| sort -EvtCounts
| eval EvtCatCnt = user." (".EvtCounts.")"
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost
| where mvcount(user) > 1
...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using your first suggestion worked. Now I am only seeing hosts with more than a single user account login failure. Thank you.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
