Baseline and query for Anomalous Invalid Login Attempts

New Member

I am working on Anomalous Invalid Login Attempts where I need to do multiple login from a same user from different sites in 30 mins time span, so the below query I implemented

sourcetype=msad-successful-user-logons OR (EventCode=540 OR EventCode=4624)
NOT (user=$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown)
| lookup ADSitesAndSubnets name as src_ip OUTPUT description as SiteName name as Subnet
| search NOT (SiteName=KDC OR SiteName=NDC) )### both are same region so not require
| lookup ComputerIPAddressTemporal ip AS src_ip OUTPUT computer AS ComputerName
| stats first(_time) as LastEventTime last(_time) as FirstEventTime by user src_ip SiteName ComputerName
| eval LogonData = ComputerName . "|" . SiteName . "|" . src_ip . "|" . strftime(FirstEventTime, "%H:%M:%S") . "|" . strftime(LastEventTime, "%H:%M:%S")
| stats dc(SiteName) as Number_Sites values(LogonData) as LogonData by user | where Number_Sites >= 2
| mvexpand LogonData

| rex field=LogonData "^(?<ComputerName>[^|]+)|(?<SiteName>[^|]+)|(?<src_ip>[^|]+)|(?<FirstEventTime>[^|]+)|(?<LastEventTime>[^|]+)$"

| ldapfilter domain=NEXEOSOLUTIONS search="(sAMAccountName=$user$)" attrs="distinguishedName"

| search distinguishedName="*OU=Nexeo Sync

| sort user SiteName ComputerName
| table user SiteName ComputerName src_ip FirstEventTime LastEventTime

Now my requirement is to define more baseline for “Anomalous Invalid Login Attempts”.
My question is what could be the possible baselines in this scenario and what will be query for that.

Tags (1)
0 Karma


Defining a baseline can be tricky as each system and environment is different. You might need to build a dashboard with multiple panels (queries) to give you a broad idea of average behavior over time. I see you're in a windows environment, I'll suggest taking a look at a few known working Windows queries here: You can probably find a few queries to throw together in a dashboard, as well as use and abuse the queries to come up with something that'll suit your needs.

In addition, I'd use statistical functions such as average, median, standard deviation (etc, etc) over a proper period of time (week / month, weekend vs weekday) to properly determine behavior and baselines.

My $.02 at least 🙂

0 Karma


Are you trying to get a report? Can you provide some sample data and the conditions that represent "Anomalous Invalid Login Attempts"?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...