I am attempting to set an alert to monitor for possible password spraying in my AD environment.
I am using windows security event logs and specifically eventcode 4625.
I have created the following search string that does give me a count of events by host, by userid so I can see which hosts are generating failed login events.
sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10
| sort -EvtCounts
| eval EvtCatCnt = user." (".EvtCounts.")"
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost
| sort -Total_Events
| eval clienthost = clienthost." (".Total_Events.")"
| table clienthost, user
I am now trying to limit the results to only show host that have more than 1 user with failed login events. I am not sure how to limit the initial search with a stats count by host, user where count >= 2 and count < 10 then pass those results to another stats count.
Any suggestions would be appreciated.
Having a bit of trouble picturing this all the way through, but you probably have a few options (typically the case with Splunk). Maybe you could use eventstats to get a distinct count of users.
sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip
| stats count as EvtCounts by user, clienthost
| eventstats dc(user) as userCount by clienthost
| where EvtCounts <= 10 AND userCount > 1
...
Or maybe use mvcount a little later in your search to filter on that mv user field?
sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10
| sort -EvtCounts
| eval EvtCatCnt = user." (".EvtCounts.")"
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost
| where mvcount(user) > 1
...
Having a bit of trouble picturing this all the way through, but you probably have a few options (typically the case with Splunk). Maybe you could use eventstats to get a distinct count of users.
sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip
| stats count as EvtCounts by user, clienthost
| eventstats dc(user) as userCount by clienthost
| where EvtCounts <= 10 AND userCount > 1
...
Or maybe use mvcount a little later in your search to filter on that mv user field?
sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10
| sort -EvtCounts
| eval EvtCatCnt = user." (".EvtCounts.")"
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost
| where mvcount(user) > 1
...
Using your first suggestion worked. Now I am only seeing hosts with more than a single user account login failure. Thank you.