Solved: Password Spraying alert from Windows Event Logs

pdumblet · ‎10-20-2016

I am attempting to set an alert to monitor for possible password spraying in my AD environment.

I am using windows security event logs and specifically eventcode 4625.

I have created the following search string that does give me a count of events by host, by userid so I can see which hosts are generating failed login events.

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10
| sort -EvtCounts
| eval EvtCatCnt = user." (".EvtCounts.")"
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost
| sort -Total_Events

| eval clienthost = clienthost." (".Total_Events.")"
| table clienthost, user

I am now trying to limit the results to only show host that have more than 1 user with failed login events. I am not sure how to limit the initial search with a stats count by host, user where count >= 2 and count < 10 then pass those results to another stats count.

Any suggestions would be appreciated.

maciep · ‎10-22-2016

Having a bit of trouble picturing this all the way through, but you probably have a few options (typically the case with Splunk). Maybe you could use eventstats to get a distinct count of users.

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip 
| stats count as EvtCounts by user, clienthost
| eventstats dc(user) as userCount by clienthost
| where EvtCounts <= 10 AND userCount > 1
...

Or maybe use mvcount a little later in your search to filter on that mv user field?

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip 
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10 
| sort -EvtCounts 
| eval EvtCatCnt = user." (".EvtCounts.")" 
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost 
| where mvcount(user) > 1
...

View solution in original post

maciep · ‎10-22-2016

Having a bit of trouble picturing this all the way through, but you probably have a few options (typically the case with Splunk). Maybe you could use eventstats to get a distinct count of users.

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip 
| stats count as EvtCounts by user, clienthost
| eventstats dc(user) as userCount by clienthost
| where EvtCounts <= 10 AND userCount > 1
...

Or maybe use mvcount a little later in your search to filter on that mv user field?

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip 
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10 
| sort -EvtCounts 
| eval EvtCatCnt = user." (".EvtCounts.")" 
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost 
| where mvcount(user) > 1
...

pdumblet · ‎10-24-2016

Using your first suggestion worked. Now I am only seeing hosts with more than a single user account login failure. Thank you.

Password Spraying alert from Windows Event Logs

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation