Splunk Enterprise Security

Multiple Account Lockout Correlation

ericl42
Path Finder

Hello,

I'm fairly new to Splunk and I've been playing around with some of the security correlation rules and needed some guidance on one.

Below is a search that shows me the user, signature, source of the lockout, and how many times that particular user got locked out from that host.

index=windows* source=WinEventLog:Security EventCode=4740 | stats count by user, signature, src_nt_host

If I do a where count >X on this, it will alert me if one user got locked out multiple times, but I want to know if Y unique users get locked out within a time period. The search below does that, but it doesn't have any useful information with it.

index=windows* source=WinEventLog:Security EventCode=4740 | stats count by signature

Is there a way to show the information from the top query but do a count on how many total log events trip? I'm going to turn this into a correlation rule and we want the appropriate alert but when I click on the query, I'd like it to show the relevant information without hopping to another search.

Thanks for your help.

1 Solution

whrg
Motivator

A simple search to show how many users got locked out could be:

index=windows* source=WinEventLog:Security EventCode=4740 | stats dc(user) as distinct_users values(user) as users

Since you want to keep the information from your top query, I suggest the following search:

index=windows* source=WinEventLog:Security EventCode=4740 | stats count by user,signature,src_nt_host | eventstats dc(user) as distinct_users

View solution in original post

0 Karma

whrg
Motivator

A simple search to show how many users got locked out could be:

index=windows* source=WinEventLog:Security EventCode=4740 | stats dc(user) as distinct_users values(user) as users

Since you want to keep the information from your top query, I suggest the following search:

index=windows* source=WinEventLog:Security EventCode=4740 | stats count by user,signature,src_nt_host | eventstats dc(user) as distinct_users

View solution in original post

0 Karma

ericl42
Path Finder

Thank you very much. Overall that did what I wanted it to do. I think the only tweak I'm going to have to perform is that I have a few entries where the user has multiple src_nt_hosts. So the distinct_users count is maybe 100 where the overall events are 150 since admin may have hits from server1, server2, and server3.

0 Karma

whrg
Motivator

If you have multivalue fields like src_nt_hosts then you could either use
| mvexpand src_nt_hosts
or
| eval src_nt_hosts=mvindex(src_nt_hosts,1)

0 Karma

Tune In & Win!

Don't miss out on your
chance to take home free
prizes by helping our players
save the Splunk Cloudom!

Dungeons & Data
Monsters: Splunk O11y
Day Editions Games
stream live:
5/4 at 6:30pm PST
5/5 at 7:00pm PST
on