Getting Data In

Successfull brute force loggings


I am looking for successfull brute force logins
basically I am looking for 5 failed logings followed by 1 successfull login
I found the below search and it seems to be working, but it's just counting the fails and success,
there is no time sequence
it isnt looking for the first 5 failed loggings, it counts all the failed and succeefull logings
and then makes a count,
how can I add the time awareness (5 failed loggings followed by 1 successfull within 5 or 10 min)?

action= failed or success (login)
user= userid's
index=* | bucket _time span=30m | stats list(action) as Attempts, count(eval(match(action,"failure"))) as Failed, count(eval(match(action,"success"))) as Success by user | where mvcount(Attempts)>=6 AND Success=1 AND Failed>=5

Tags (1)
0 Karma


Hi there @ecanmaster

Perhaps something like this might help you.

earliest=-11min@min latest=-1min@min your_main_search_here action="success"
 | stats count, latest(_time) AS lastLogin by user
 | eval timewindow=lastLogin - 600 
 | map maxsearches=100 search="your_main_search_here action="failure" earliest=$timewindow$ latest=$lastLogin$ user=$user$"
 | stats count, latest(_time) AS "Latest Attempt" by user 
 | convert ctime("Latest Attempt") 
 | rename user AS "Compromised Account", count AS "loginAttempts"
 | where loginAttempts > 4

This should search successful user logins in a 10 min window and if it finds one it goes back in time 10 min to find failed attempts in the last 10 minutes for each user/success login.

Could't tested it, hope it helps.

EDIT: Fixed. Thank you @DalJeanis

0 Karma


@alemarzu - looks good with one fix and one improvement...

1) latest=-11m@m earliest=-1m@m

2) No need to kill the field count; it gets thrown away at the next command ( map ) anyway.

0 Karma


hmm,so for each successful login we go and execute?
isn’t more normal to search only when I see a fail, which are not so often as successful logins?

0 Karma


Thank you!

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...