Security

Filter "root" logins for Failed and Success outputs in succession

Explorer

Hello my Splunk Ninjas,

Ihave a tough one I am trying to figure out. I have a report that gives me:

index=blah sourcetype=unix action=failure
| lookup approvedserverips ip as src OUTPUT filter
| search filter=0
| eval Local1=split(upper(user),"\")

| eval Local
AccountName=if(isnull(mvindex(Local1,1)),user,mvindex(Local1,1))
| rename src as Source
DeviceIP, LocalAccountName as FailedAccountName
| stats count by index,Failed
AccountName,SourceDeviceIP,host
| where count>4
| sort by -count
| head $Local
alert_count$

This search runs fine however, I have instances where I will get a failed "root" login immediately followed by a successful login on the same system....

14:30:00 - 192.555.1.1 root Failed
14:30:02 - 192.555.1.1 root Success

I need to be able to eval theses and if I see a system (SourceDeviceIP) with a "Failed" attempt immediately followed by a Success, do not report this system, perhaps something along these lines?

| eval alert = if(match(list, "(?:failure\s?){1,}(?:success)"), "True", "False")

0 Karma

Legend

Hi dsmeerkat,
I should try to extract a filed with result of login, the add this field to starts and then use this field to filter, something like this:

index=blah sourcetype=unix action=failure 
| lookup approved_server_ips ip as src OUTPUT filter 
| search filter=0 
| eval Local_1=split(upper(user),"\\") 
| eval Local_Account_Name=if(isnull(mvindex(Local_1,1)),user,mvindex(Local_1,1)) 
| rename src as Source_Device_IP, Local_Account_Name as Failed_Account_Name 
| rex "(?<Result>Failed|Success)"
| stats values(Result) AS Result count by index,Failed_Account_Name,Source_Device_IP,host 
| where count>4 
| sort by -count 
| search Result=Failed Result=Success
| head $Local_alert_count$

(verify regex).
Bye.
Giuseppe

0 Karma

Explorer

Or better yet an eval against epochtime may be better

0 Karma