How would I write a search to look for failed logons coming from the same account happening across different systems? For example, an administrator account named Bob failed to log on to 10 different computers in under a 5 minute time span. He only attempted to log on 1 time to each of the 10 computers but failed each time.
Also, is there a Splunk forum created specifically for security related searches and ideas similar to this?
Like this:
| tstats summariesonly=t count values(dest) AS destCount
FROM datamodel=Authentication
WHERE index=* AND nodename=Authentication.Failed_Authentication
BY Authentication.src_user
| where destCount >= 2
Hi @johann2017
Splunk Security Essentials is an amazing (free!) addon that has tons of searches like this. Get it from here: https://splunkbase.splunk.com/app/3435/
Now to address your specific question. Typically you just run a search that looks for all authentication events, regardless of system. You can do this like so: search tag=authentication
this is because most official addons will be set to tag authentication events appropriately.
If you want to get more advanced, you should consider using the Splunk CIM and you can use the Authentication accelerated data model for more efficient searches.
Hope this helps
Thanks Chris, I upgraded my Security Essentials app I will try that out. I was trying with this search index=wineventlog sourcetype="XmlWinEventLog:Security" EventID=4771 (user!="*$" AND user!="Guest" |
timechart count as Failed_Logon_Attempts values(host) as host values(Failure_Reason) as Failure_Reason values(user) as user by Source_Workstation | eval threshold=200
However it does not seem to be working properly. The threshold does not seem to work
Maybe you need to do something more like this:
index=wineventlog sourcetype="XmlWinEventLog:Security" EventID=4771 (user!="*$" AND user!="Guest" |
timechart count as Failed_Logon_Attempts by Source_Workstation | eval threshold = 200
or something like this
index=wineventlog sourcetype="XmlWinEventLog:Security" EventID=4771 (user!="*$" AND user!="Guest" |stats count as Failed_Logon_Attempts values(host) as host values(Failure_Reason) as Failure_Reason values(user) as user by Source_Workstation | search Failed_Logon_Attempts > 200