Getting Data In

Successfull brute force loggings

ecanmaster
Explorer

I am looking for successfull brute force logins
basically I am looking for 5 failed logings followed by 1 successfull login
I found the below search and it seems to be working, but it's just counting the fails and success,
there is no time sequence
it isnt looking for the first 5 failed loggings, it counts all the failed and succeefull logings
and then makes a count,
how can I add the time awareness (5 failed loggings followed by 1 successfull within 5 or 10 min)?

action= failed or success (login)
user= userid's
index=* | bucket _time span=30m | stats list(action) as Attempts, count(eval(match(action,"failure"))) as Failed, count(eval(match(action,"success"))) as Success by user | where mvcount(Attempts)>=6 AND Success=1 AND Failed>=5

Tags (1)
0 Karma

alemarzu
Motivator

Hi there @ecanmaster

Perhaps something like this might help you.

earliest=-11min@min latest=-1min@min your_main_search_here action="success"
 | stats count, latest(_time) AS lastLogin by user
 | eval timewindow=lastLogin - 600 
 | map maxsearches=100 search="your_main_search_here action="failure" earliest=$timewindow$ latest=$lastLogin$ user=$user$"
 | stats count, latest(_time) AS "Latest Attempt" by user 
 | convert ctime("Latest Attempt") 
 | rename user AS "Compromised Account", count AS "loginAttempts"
 | where loginAttempts > 4

This should search successful user logins in a 10 min window and if it finds one it goes back in time 10 min to find failed attempts in the last 10 minutes for each user/success login.

Could't tested it, hope it helps.

EDIT: Fixed. Thank you @DalJeanis

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@alemarzu - looks good with one fix and one improvement...

1) latest=-11m@m earliest=-1m@m

2) No need to kill the field count; it gets thrown away at the next command ( map ) anyway.

0 Karma

printul77700
Explorer

hmm,so for each successful login we go and execute?
isn’t more normal to search only when I see a fail, which are not so often as successful logins?
thanks

0 Karma

alemarzu
Motivator

Thank you!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...