i have two queries for detecting the Brute Force login but not able to get the results. can someone tell me why i'm not getting the results
index=wineventlog TaskCategory=Logon earliest=-20min@min latest=-1min@min action="success" user!="*$"| stats count, latest(_time) AS lastLogin by user |eval timewindow=lastLogin - 600 | map maxsearches=100 search="index=wineventlog TaskCategory=Logon" action="failure" earliest=$timewindow$ latest=$lastLogin$ user=$user$"| stats count, latest(_time) AS "Latest Attempt" by user | convert ctime("Latest Attempt") | rename user AS "Compromised Account", count AS "loginAttempts" | where loginAttempts > 4]
Another one is the
index=wineventlog TaskCategory=Logon earliest=-20min@min latest=-1min@min action="success" user!="*$"| stats count, latest(_time) AS lastLogin by user |eval timewindow=lastLogin - 600 | map [search index=wineventlog TaskCategory=Logon action=failure earliest=$timewindow$ latest=$lastLogin$ user=$user$ |stats count, latest(_time) AS "Latest Attempt" by user | rename user AS "Compromised Account", count AS "loginAttempts" | where loginAttempts > 4 ] maxsearches=1000
when i run this i'm getting error like Invalid value "$timewindow$" for time term 'earliest'
is there any way i can pass the value to the earliest and latest field in second search in map
Any help will be appreciated.
It's telling you that the token is not being passed correctly for the variable $timewindow$, but I think the real problem is that you haven't escaped the quotes inside your map-search string.
We've escaped the quotes around failure in your code. It isn't really necessary to HAVE quotes there, before the first pipe in the search, but since that's the base problem, we figured we'd show you the fix.
We've also ...
count
from the first stats
rename
of count
from the second stats
into the second stats
where
clause up to save reformatting things you don't want to see, and So, try this -
index=wineventlog TaskCategory=Logon earliest=-20min@min latest=-1min@min action="success" user!="*$"
| stats latest(_time) AS lastLogin by user
| eval timewindow=lastLogin - 600
| map maxsearches=100 search="index=wineventlog TaskCategory=Logon action=\"failure\" earliest=$timewindow$ latest=$lastLogin$ user=$user$"
| stats count AS loginAttempts , latest(_time) AS "Latest Attempt" by user
| where loginAttempts > 4
| convert ctime("Latest Attempt")
| rename user AS "Compromised Account"
As a general case, I suggest that splunk programmers get out of the habit of having spaces in field names ("Latest Attempt") until they are completely done with all processing, and preferably not then. If you have internal spaces, that means you have to quote them, which then gives you a whole lot of redundant work if you ever want to use map or a few more useful commands.
Hi @DalJeanis : Thanks for your help . Unfortunately the above query is not throwing the results. Instead came up with this query in which i'm directly giving the earliest and latest time frames in values instead of of taking the value from first search
index=wineventlog TaskCategory=Logon earliest=-20min@min latest=-1min@min action="success" user!="*$" | stats latest(_time) AS lastLogin1 by user | eval timewindow=lastLogin - 600 | map maxsearches=1000 search=" search index=wineventlog TaskCategory=Logon earliest=-20m latest=-1m action=failure $user$" " | stats count AS loginAttempts , latest(_time) AS "Latest Attempt" by user |where loginAttempts > 4 | convert ctime("Latest Attempt") | rename user AS "Compromised Account"
Moreover to run this query it's taking 15 minutes and then showing up the results.
What could be the reason the above query ( query with earliest=$timewindow$) not throwing the results. is there any workaround on your query.
I have tried below two queries but no results
index=wineventlog TaskCategory=Logon earliest=-20min@min latest=-1min@min action="success" user!="*$" | stats latest(_time) AS lastLogin1 by user | eval timewindow=lastLogin - 600 | map maxsearches=1000 search=" search index=wineventlog TaskCategory=Logon earliest=$timewindow$ latest=$lastLogin$ user=$user$"| stats count AS loginAttempts , latest(_time) AS "Latest Attempt" by user |where loginAttempts > 4 | convert ctime("Latest Attempt")
| rename user AS "Compromised Account"
And
index=wineventlog TaskCategory=Logon earliest=-20min@min latest=-1min@min action="success" user!="*$" | stats latest(_time) AS lastLogin by user | eval timewindow=lastLogin - 600
| map [search index=wineventlog TaskCategory=Logon action="failure" earliest=$timewindow$ latest=$lastLogin$ user="$user$"] maxsearches=100 | stats count AS loginAttempts , latest(_time) AS "Latest Attempt" by user | where loginAttempts > 4 | convert ctime("Latest Attempt")
| rename user AS "Compromised Account"
Map actually supports 2 formats: double-quotes and square-brackets. You might be better served with this:
index=wineventlog TaskCategory=Logon earliest=-20min@min latest=-1min@min action="success" user!="*$"
| stats latest(_time) AS lastLogin by user
| eval timewindow=lastLogin - 600
| map [search index=wineventlog TaskCategory=Logon action="failure" earliest=$timewindow$ latest=$lastLogin$ user="$user$"] maxsearches=100
| stats count AS loginAttempts , latest(_time) AS "Latest Attempt" by user
| where loginAttempts > 4
| convert ctime("Latest Attempt")
| rename user AS "Compromised Account"
@woodcock . Thanks for replying But when i'm running the query ,
index=wineventlog TaskCategory=Logon earliest=-20min@min latest=-1min@min action="success" user!="*$" | stats latest(_time) AS lastLogin by user | eval timewindow=lastLogin - 600 | map maxsearches=100 [search index=wineventlog TaskCategory=Logon action="failure" earliest=$timewindow$ latest=$lastLogin$ user="$user$"] | stats count AS loginAttempts , latest(_time) AS "Latest Attempt" by user | where loginAttempts > 4 | convert ctime("Latest Attempt") | rename user AS "Compromised Account"
just getting an error messgae " Error in 'map' command: Unable to find saved search 'maxsearches=100'."
Is there any workaround on this issue
My bad; I put that clause at the beginning instead of the end. I updated my answer; try it now.
@renjujacob88, put maxsearches after map search="<yourSearchString>" maxsearches=100
| map search="index=wineventlog TaskCategory=Logon action=\"failure\" earliest=$timewindow$ latest=$lastLogin$ user=$user$" maxsearches=100