Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Baseline and query for Anomalous Invalid Login Attempts

suvamondal
New Member
‎11-30-2015 08:54 AM

I am working on Anomalous Invalid Login Attempts where I need to do multiple login from a same user from different sites in 30 mins time span, so the below query I implemented

sourcetype=msad-successful-user-logons OR (EventCode=540 OR EventCode=4624)
NOT (user=$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown)
| lookup ADSitesAndSubnets name as src_ip OUTPUT description as SiteName name as Subnet
| search NOT (SiteName=KDC OR SiteName=NDC) )### both are same region so not require
| lookup ComputerIPAddressTemporal ip AS src_ip OUTPUT computer AS ComputerName
| stats first(_time) as LastEventTime last(_time) as FirstEventTime by user src_ip SiteName ComputerName
| eval LogonData = ComputerName . "|" . SiteName . "|" . src_ip . "|" . strftime(FirstEventTime, "%H:%M:%S") . "|" . strftime(LastEventTime, "%H:%M:%S")
| stats dc(SiteName) as Number_Sites values(LogonData) as LogonData by user | where Number_Sites >= 2
| mvexpand LogonData

| rex field=LogonData "^(?<ComputerName>[^|]+)|(?<SiteName>[^|]+)|(?<src_ip>[^|]+)|(?<FirstEventTime>[^|]+)|(?<LastEventTime>[^|]+)$"

| ldapfilter domain=NEXEOSOLUTIONS search="(sAMAccountName=$user$)" attrs="distinguishedName"

| search distinguishedName="*OU=Nexeo Sync"

| sort user SiteName ComputerName
| table user SiteName ComputerName src_ip FirstEventTime LastEventTime

Now my requirement is to define more baseline for “Anomalous Invalid Login Attempts”.
My question is what could be the possible baselines in this scenario and what will be query for that.

Tags (1)
0 Karma
Reply

hagjos43
Contributor
‎12-02-2015 04:45 AM

Defining a baseline can be tricky as each system and environment is different. You might need to build a dashboard with multiple panels (queries) to give you a broad idea of average behavior over time. I see you're in a windows environment, I'll suggest taking a look at a few known working Windows queries here: http://gosplunk.com/category/wineventlogsecurity/ You can probably find a few queries to throw together in a dashboard, as well as use and abuse the queries to come up with something that'll suit your needs.

In addition, I'd use statistical functions such as average, median, standard deviation (etc, etc) over a proper period of time (week / month, weekend vs weekday) to properly determine behavior and baselines.

My $.02 at least 🙂

0 Karma
Reply

jsven7
Communicator
‎12-02-2015 04:20 AM

Are you trying to get a report? Can you provide some sample data and the conditions that represent "Anomalous Invalid Login Attempts"?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...