Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filter "root" logins for Failed and Success outputs in succession

dsmeerkat
Explorer
‎08-14-2017 11:55 AM

Hello my Splunk Ninjas,

Ihave a tough one I am trying to figure out. I have a report that gives me:

index=blah sourcetype=unix action=failure
| lookup approved_server_ips ip as src OUTPUT filter
| search filter=0
| eval Local_1=split(upper(user),"\")

| eval Local_Account_Name=if(isnull(mvindex(Local_1,1)),user,mvindex(Local_1,1))
| rename src as Source_Device_IP, Local_Account_Name as Failed_Account_Name
| stats count by index,Failed_Account_Name,Source_Device_IP,host
| where count>4
| sort by -count
| head $Local_alert_count$

This search runs fine however, I have instances where I will get a failed "root" login immediately followed by a successful login on the same system....

14:30:00 - 192.555.1.1 root Failed
14:30:02 - 192.555.1.1 root Success

I need to be able to eval theses and if I see a system (Source_Device_IP) with a "Failed" attempt immediately followed by a Success, do not report this system, perhaps something along these lines?

| eval alert = if(match(list, "(?:failure\s?){1,}(?:success)"), "True", "False")

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-16-2017 03:04 AM

Hi dsmeerkat,
I should try to extract a filed with result of login, the add this field to starts and then use this field to filter, something like this:

index=blah sourcetype=unix action=failure 
| lookup approved_server_ips ip as src OUTPUT filter 
| search filter=0 
| eval Local_1=split(upper(user),"\\") 
| eval Local_Account_Name=if(isnull(mvindex(Local_1,1)),user,mvindex(Local_1,1)) 
| rename src as Source_Device_IP, Local_Account_Name as Failed_Account_Name 
| rex "(?<Result>Failed|Success)"
| stats values(Result) AS Result count by index,Failed_Account_Name,Source_Device_IP,host 
| where count>4 
| sort by -count 
| search Result=Failed Result=Success
| head $Local_alert_count$

(verify regex).
Bye.
Giuseppe

0 Karma
Reply

dsmeerkat
Explorer
‎08-15-2017 08:36 AM

Or better yet an eval against epochtime may be better

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...