Getting Data In

Successfull brute force loggings

ecanmaster
Explorer

I am looking for successfull brute force logins
basically I am looking for 5 failed logings followed by 1 successfull login
I found the below search and it seems to be working, but it's just counting the fails and success,
there is no time sequence
it isnt looking for the first 5 failed loggings, it counts all the failed and succeefull logings
and then makes a count,
how can I add the time awareness (5 failed loggings followed by 1 successfull within 5 or 10 min)?

action= failed or success (login)
user= userid's
index=* | bucket _time span=30m | stats list(action) as Attempts, count(eval(match(action,"failure"))) as Failed, count(eval(match(action,"success"))) as Success by user | where mvcount(Attempts)>=6 AND Success=1 AND Failed>=5

Tags (1)
0 Karma

alemarzu
Motivator

Hi there @ecanmaster

Perhaps something like this might help you.

earliest=-11min@min latest=-1min@min your_main_search_here action="success"
 | stats count, latest(_time) AS lastLogin by user
 | eval timewindow=lastLogin - 600 
 | map maxsearches=100 search="your_main_search_here action="failure" earliest=$timewindow$ latest=$lastLogin$ user=$user$"
 | stats count, latest(_time) AS "Latest Attempt" by user 
 | convert ctime("Latest Attempt") 
 | rename user AS "Compromised Account", count AS "loginAttempts"
 | where loginAttempts > 4

This should search successful user logins in a 10 min window and if it finds one it goes back in time 10 min to find failed attempts in the last 10 minutes for each user/success login.

Could't tested it, hope it helps.

EDIT: Fixed. Thank you @DalJeanis

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@alemarzu - looks good with one fix and one improvement...

1) latest=-11m@m earliest=-1m@m

2) No need to kill the field count; it gets thrown away at the next command ( map ) anyway.

0 Karma

printul77700
Explorer

hmm,so for each successful login we go and execute?
isn’t more normal to search only when I see a fail, which are not so often as successful logins?
thanks

0 Karma

alemarzu
Motivator

Thank you!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...