Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filter "root" logins for Failed and Success outputs in succession

dsmeerkat
Explorer
‎08-14-2017 11:55 AM

Hello my Splunk Ninjas,

Ihave a tough one I am trying to figure out. I have a report that gives me:

index=blah sourcetype=unix action=failure
| lookup approved_server_ips ip as src OUTPUT filter
| search filter=0
| eval Local_1=split(upper(user),"\")

| eval Local_Account_Name=if(isnull(mvindex(Local_1,1)),user,mvindex(Local_1,1))
| rename src as Source_Device_IP, Local_Account_Name as Failed_Account_Name
| stats count by index,Failed_Account_Name,Source_Device_IP,host
| where count>4
| sort by -count
| head $Local_alert_count$

This search runs fine however, I have instances where I will get a failed "root" login immediately followed by a successful login on the same system....

14:30:00 - 192.555.1.1 root Failed
14:30:02 - 192.555.1.1 root Success

I need to be able to eval theses and if I see a system (Source_Device_IP) with a "Failed" attempt immediately followed by a Success, do not report this system, perhaps something along these lines?

| eval alert = if(match(list, "(?:failure\s?){1,}(?:success)"), "True", "False")

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-16-2017 03:04 AM

Hi dsmeerkat,
I should try to extract a filed with result of login, the add this field to starts and then use this field to filter, something like this:

index=blah sourcetype=unix action=failure 
| lookup approved_server_ips ip as src OUTPUT filter 
| search filter=0 
| eval Local_1=split(upper(user),"\\") 
| eval Local_Account_Name=if(isnull(mvindex(Local_1,1)),user,mvindex(Local_1,1)) 
| rename src as Source_Device_IP, Local_Account_Name as Failed_Account_Name 
| rex "(?<Result>Failed|Success)"
| stats values(Result) AS Result count by index,Failed_Account_Name,Source_Device_IP,host 
| where count>4 
| sort by -count 
| search Result=Failed Result=Success
| head $Local_alert_count$

(verify regex).
Bye.
Giuseppe

0 Karma
Reply

dsmeerkat
Explorer
‎08-15-2017 08:36 AM

Or better yet an eval against epochtime may be better

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...