Getting Data In

Successfull brute force loggings

ecanmaster
Explorer

I am looking for successfull brute force logins
basically I am looking for 5 failed logings followed by 1 successfull login
I found the below search and it seems to be working, but it's just counting the fails and success,
there is no time sequence
it isnt looking for the first 5 failed loggings, it counts all the failed and succeefull logings
and then makes a count,
how can I add the time awareness (5 failed loggings followed by 1 successfull within 5 or 10 min)?

action= failed or success (login)
user= userid's
index=* | bucket _time span=30m | stats list(action) as Attempts, count(eval(match(action,"failure"))) as Failed, count(eval(match(action,"success"))) as Success by user | where mvcount(Attempts)>=6 AND Success=1 AND Failed>=5

Tags (1)
0 Karma

alemarzu
Motivator

Hi there @ecanmaster

Perhaps something like this might help you.

earliest=-11min@min latest=-1min@min your_main_search_here action="success"
 | stats count, latest(_time) AS lastLogin by user
 | eval timewindow=lastLogin - 600 
 | map maxsearches=100 search="your_main_search_here action="failure" earliest=$timewindow$ latest=$lastLogin$ user=$user$"
 | stats count, latest(_time) AS "Latest Attempt" by user 
 | convert ctime("Latest Attempt") 
 | rename user AS "Compromised Account", count AS "loginAttempts"
 | where loginAttempts > 4

This should search successful user logins in a 10 min window and if it finds one it goes back in time 10 min to find failed attempts in the last 10 minutes for each user/success login.

Could't tested it, hope it helps.

EDIT: Fixed. Thank you @DalJeanis

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@alemarzu - looks good with one fix and one improvement...

1) latest=-11m@m earliest=-1m@m

2) No need to kill the field count; it gets thrown away at the next command ( map ) anyway.

0 Karma

printul77700
Explorer

hmm,so for each successful login we go and execute?
isn’t more normal to search only when I see a fail, which are not so often as successful logins?
thanks

0 Karma

alemarzu
Motivator

Thank you!

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...