Security

Successful Bruteforce login

Path Finder

i have two queries for detecting the Brute Force login but not able to get the results. can someone tell me why i'm not getting the results

index=wineventlog TaskCategory=Logon earliest=-20min@min latest=-1min@min action="success" user!="*$"| stats count, latest(time) AS lastLogin by user |eval timewindow=lastLogin - 600 | map maxsearches=100 search="index=wineventlog TaskCategory=Logon" action="failure" earliest=$timewindow$ latest=$lastLogin$ user=$user$"| stats count, latest(time) AS "Latest Attempt" by user | convert ctime("Latest Attempt") | rename user AS "Compromised Account", count AS "loginAttempts" | where loginAttempts > 4]

Another one is the

index=wineventlog TaskCategory=Logon earliest=-20min@min latest=-1min@min action="success" user!="*$"| stats count, latest(time) AS lastLogin by user |eval timewindow=lastLogin - 600 | map [search index=wineventlog TaskCategory=Logon action=failure earliest=$timewindow$ latest=$lastLogin$ user=$user$ |stats count, latest(time) AS "Latest Attempt" by user | rename user AS "Compromised Account", count AS "loginAttempts" | where loginAttempts > 4 ] maxsearches=1000

when i run this i'm getting error like Invalid value "$timewindow$" for time term 'earliest'

is there any way i can pass the value to the earliest and latest field in second search in map

Any help will be appreciated.

SplunkTrust
SplunkTrust

It's telling you that the token is not being passed correctly for the variable $timewindow$, but I think the real problem is that you haven't escaped the quotes inside your map-search string.

We've escaped the quotes around failure in your code. It isn't really necessary to HAVE quotes there, before the first pipe in the search, but since that's the base problem, we figured we'd show you the fix.

We've also ...

  • removed the extra quote after Logon
  • removed the unused count from the first stats
  • moved the rename of count from the second stats into the second stats
  • moved the final where clause up to save reformatting things you don't want to see, and
  • formatted the query language for easy reading...

So, try this -

index=wineventlog TaskCategory=Logon earliest=-20min@min latest=-1min@min action="success" user!="*$"
| stats latest(_time) AS lastLogin by user 
| eval timewindow=lastLogin - 600 
| map maxsearches=100 search="index=wineventlog TaskCategory=Logon action=\"failure\" earliest=$timewindow$ latest=$lastLogin$ user=$user$"
| stats count AS loginAttempts , latest(_time) AS "Latest Attempt" by user 
| where loginAttempts > 4
| convert ctime("Latest Attempt") 
| rename user AS "Compromised Account"

As a general case, I suggest that splunk programmers get out of the habit of having spaces in field names ("Latest Attempt") until they are completely done with all processing, and preferably not then. If you have internal spaces, that means you have to quote them, which then gives you a whole lot of redundant work if you ever want to use map or a few more useful commands.

Path Finder

Hi @DalJeanis : Thanks for your help . Unfortunately the above query is not throwing the results. Instead came up with this query in which i'm directly giving the earliest and latest time frames in values instead of of taking the value from first search

index=wineventlog TaskCategory=Logon earliest=-20min@min latest=-1min@min action="success" user!="*$" | stats latest(time) AS lastLogin1 by user | eval timewindow=lastLogin - 600 | map maxsearches=1000 search=" search index=wineventlog TaskCategory=Logon earliest=-20m latest=-1m action=failure $user$" " | stats count AS loginAttempts , latest(time) AS "Latest Attempt" by user |where loginAttempts > 4 | convert ctime("Latest Attempt") | rename user AS "Compromised Account"

Moreover to run this query it's taking 15 minutes and then showing up the results.

What could be the reason the above query ( query with earliest=$timewindow$) not throwing the results. is there any workaround on your query.

I have tried below two queries but no results

index=wineventlog TaskCategory=Logon earliest=-20min@min latest=-1min@min action="success" user!="*$" | stats latest(time) AS lastLogin1 by user | eval timewindow=lastLogin - 600 | map maxsearches=1000 search=" search index=wineventlog TaskCategory=Logon earliest=$timewindow$ latest=$lastLogin$ user=$user$"| stats count AS loginAttempts , latest(time) AS "Latest Attempt" by user |where loginAttempts > 4 | convert ctime("Latest Attempt")
| rename user AS "Compromised Account"

And

index=wineventlog TaskCategory=Logon earliest=-20min@min latest=-1min@min action="success" user!="*$" | stats latest(time) AS lastLogin by user | eval timewindow=lastLogin - 600
| map [search index=wineventlog TaskCategory=Logon action="failure" earliest=$timewindow$ latest=$lastLogin$ user="$user$"] maxsearches=100 | stats count AS loginAttempts , latest(
time) AS "Latest Attempt" by user | where loginAttempts > 4 | convert ctime("Latest Attempt")
| rename user AS "Compromised Account"

0 Karma

Esteemed Legend

Map actually supports 2 formats: double-quotes and square-brackets. You might be better served with this:

index=wineventlog TaskCategory=Logon earliest=-20min@min latest=-1min@min action="success" user!="*$"
| stats latest(_time) AS lastLogin by user 
| eval timewindow=lastLogin - 600 
| map [search index=wineventlog TaskCategory=Logon action="failure" earliest=$timewindow$ latest=$lastLogin$ user="$user$"] maxsearches=100
| stats count AS loginAttempts , latest(_time) AS "Latest Attempt" by user 
| where loginAttempts > 4
| convert ctime("Latest Attempt") 
| rename user AS "Compromised Account"
0 Karma

Path Finder

@woodcock . Thanks for replying But when i'm running the query ,

index=wineventlog TaskCategory=Logon earliest=-20min@min latest=-1min@min action="success" user!="*$" | stats latest(time) AS lastLogin by user | eval timewindow=lastLogin - 600 | map maxsearches=100 [search index=wineventlog TaskCategory=Logon action="failure" earliest=$timewindow$ latest=$lastLogin$ user="$user$"] | stats count AS loginAttempts , latest(time) AS "Latest Attempt" by user | where loginAttempts > 4 | convert ctime("Latest Attempt") | rename user AS "Compromised Account"

just getting an error messgae " Error in 'map' command: Unable to find saved search 'maxsearches=100'."

Is there any workaround on this issue

0 Karma

Esteemed Legend

My bad; I put that clause at the beginning instead of the end. I updated my answer; try it now.

0 Karma

SplunkTrust
SplunkTrust

@renjujacob88, put maxsearches after map search="<yourSearchString>" maxsearches=100

 | map search="index=wineventlog TaskCategory=Logon action=\"failure\" earliest=$timewindow$ latest=$lastLogin$ user=$user$" maxsearches=100 
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma