Splunk Enterprise Security

Multiple Account Lockout Correlation

Path Finder

Hello,

I'm fairly new to Splunk and I've been playing around with some of the security correlation rules and needed some guidance on one.

Below is a search that shows me the user, signature, source of the lockout, and how many times that particular user got locked out from that host.

index=windows* source=WinEventLog:Security EventCode=4740 | stats count by user, signature, src_nt_host

If I do a where count >X on this, it will alert me if one user got locked out multiple times, but I want to know if Y unique users get locked out within a time period. The search below does that, but it doesn't have any useful information with it.

index=windows* source=WinEventLog:Security EventCode=4740 | stats count by signature

Is there a way to show the information from the top query but do a count on how many total log events trip? I'm going to turn this into a correlation rule and we want the appropriate alert but when I click on the query, I'd like it to show the relevant information without hopping to another search.

Thanks for your help.

1 Solution

Motivator

A simple search to show how many users got locked out could be:

index=windows* source=WinEventLog:Security EventCode=4740 | stats dc(user) as distinct_users values(user) as users

Since you want to keep the information from your top query, I suggest the following search:

index=windows* source=WinEventLog:Security EventCode=4740 | stats count by user,signature,src_nt_host | eventstats dc(user) as distinct_users

View solution in original post

0 Karma

Motivator

A simple search to show how many users got locked out could be:

index=windows* source=WinEventLog:Security EventCode=4740 | stats dc(user) as distinct_users values(user) as users

Since you want to keep the information from your top query, I suggest the following search:

index=windows* source=WinEventLog:Security EventCode=4740 | stats count by user,signature,src_nt_host | eventstats dc(user) as distinct_users

View solution in original post

0 Karma

Path Finder

Thank you very much. Overall that did what I wanted it to do. I think the only tweak I'm going to have to perform is that I have a few entries where the user has multiple srcnthosts. So the distinct_users count is maybe 100 where the overall events are 150 since admin may have hits from server1, server2, and server3.

0 Karma

Motivator

If you have multivalue fields like srcnthosts then you could either use
| mvexpand srcnthosts
or
| eval srcnthosts=mvindex(srcnthosts,1)

0 Karma