Getting Data In

Password Spraying alert from Windows Event Logs

pdumblet
Explorer

I am attempting to set an alert to monitor for possible password spraying in my AD environment.

I am using windows security event logs and specifically eventcode 4625.

I have created the following search string that does give me a count of events by host, by userid so I can see which hosts are generating failed login events.

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10
| sort -EvtCounts
| eval EvtCatCnt = user." (".EvtCounts.")"
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost
| sort -Total_Events

| eval clienthost = clienthost." (".Total_Events.")"
| table clienthost, user

I am now trying to limit the results to only show host that have more than 1 user with failed login events. I am not sure how to limit the initial search with a stats count by host, user where count >= 2 and count < 10 then pass those results to another stats count.

Any suggestions would be appreciated.

0 Karma
1 Solution

maciep
Champion

Having a bit of trouble picturing this all the way through, but you probably have a few options (typically the case with Splunk). Maybe you could use eventstats to get a distinct count of users.

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip 
| stats count as EvtCounts by user, clienthost
| eventstats dc(user) as userCount by clienthost
| where EvtCounts <= 10 AND userCount > 1
...

Or maybe use mvcount a little later in your search to filter on that mv user field?

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip 
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10 
| sort -EvtCounts 
| eval EvtCatCnt = user." (".EvtCounts.")" 
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost 
| where mvcount(user) > 1
...

View solution in original post

0 Karma

maciep
Champion

Having a bit of trouble picturing this all the way through, but you probably have a few options (typically the case with Splunk). Maybe you could use eventstats to get a distinct count of users.

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip 
| stats count as EvtCounts by user, clienthost
| eventstats dc(user) as userCount by clienthost
| where EvtCounts <= 10 AND userCount > 1
...

Or maybe use mvcount a little later in your search to filter on that mv user field?

sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip 
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10 
| sort -EvtCounts 
| eval EvtCatCnt = user." (".EvtCounts.")" 
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost 
| where mvcount(user) > 1
...

View solution in original post

0 Karma

pdumblet
Explorer

Using your first suggestion worked. Now I am only seeing hosts with more than a single user account login failure. Thank you.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!