We are a financial institution using Splunk to capture Failed login count by username and IP address. We use 100s of application within our enterprise, and not every application writes failed login attempts with username and IP details. There are 10s of vendor applications that only provide username, but, no IP address. So, we are thinking to get the Failed Login and username from the logs and do an automatic lookup for IP address matching the username. Please advise
a) if this is feasible as IP address is not going to be static all the time
b) From where to get the user, IP address details as I have no knowledge on Networking. Please advise if that will be available in LDAP, AD, Firewall Logs etc.. so that I can request our network team to provide it
If you have DHCP logs, that can give you a mac address, IP and hostname. You can use the hostname/IP address from dhcp logs and tie that to your datasources with hostname or IP address to tie them up.
And how would that allow you to find the IP address when a log only contains a username? I don't think DHCP logs usually contain information on which user is on a certain machine.
it doesn't contain user name, but only host/mac/IP. where you have scenarios of IP changes, we can relate that to host and use logs that contain hostname [ e.g. windows or others] to get users. Not a clean way, but in the above case it could be helpful based on what's logged and whats available, if we can tie them up.
You could use one of the log sources that does log both user and IP address to generate some kind of "session list" that stores which machine a user last logged on to. Either as a summary index or as a lookup. Which you could then use to link usernames appearing in other logs to IP addresses.
Some caveats though:
- if different applications use different user account names for the same person, this becomes a lot more tricky to manage
- there is no guarantee that if a user has logged on to workstation with IP 10.0.0.1 and you then see a logon to application X by that same user, that that logon actually came from 10.0.0.1. Especially if that user's account was compromised (or shared with a colleague etc.) the login likely comes from a different IP and that would be exactly the kind of stuff you want to be looking for.
So while technically, you could keep track of user-IP relationships based on what workstation they last logged on to for instance, it is not a reliable way of determining the source IP for application logons.