Splunk Search

Can you help me create a search for failed logons?

Explorer

How would I write a search to look for failed logons coming from the same account happening across different systems? For example, an administrator account named Bob failed to log on to 10 different computers in under a 5 minute time span. He only attempted to log on 1 time to each of the 10 computers but failed each time.

Also, is there a Splunk forum created specifically for security related searches and ideas similar to this?

0 Karma

Esteemed Legend

Like this:

 | tstats summariesonly=t count values(dest) AS destCount
 FROM datamodel=Authentication 
 WHERE index=* AND nodename=Authentication.Failed_Authentication
 BY Authentication.src_user
 | where destCount >= 2

SplunkTrust
SplunkTrust

Hi @johann2017

Splunk Security Essentials is an amazing (free!) addon that has tons of searches like this. Get it from here: https://splunkbase.splunk.com/app/3435/

Now to address your specific question. Typically you just run a search that looks for all authentication events, regardless of system. You can do this like so: search tag=authentication this is because most official addons will be set to tag authentication events appropriately.

If you want to get more advanced, you should consider using the Splunk CIM and you can use the Authentication accelerated data model for more efficient searches.

Hope this helps

0 Karma

Explorer

Thanks Chris, I upgraded my Security Essentials app I will try that out. I was trying with this search index=wineventlog sourcetype="XmlWinEventLog:Security" EventID=4771 (user!="*$" AND user!="Guest" |
timechart count as FailedLogonAttempts values(host) as host values(FailureReason) as FailureReason values(user) as user by Source_Workstation | eval threshold=200

However it does not seem to be working properly. The threshold does not seem to work

0 Karma

SplunkTrust
SplunkTrust

Maybe you need to do something more like this:

index=wineventlog sourcetype="XmlWinEventLog:Security" EventID=4771 (user!="*$" AND user!="Guest" |
timechart count as Failed_Logon_Attempts by Source_Workstation | eval threshold = 200

or something like this

index=wineventlog sourcetype="XmlWinEventLog:Security" EventID=4771 (user!="*$" AND user!="Guest" |stats count as Failed_Logon_Attempts values(host) as host values(Failure_Reason) as Failure_Reason values(user) as user by Source_Workstation | search Failed_Logon_Attempts > 200

0 Karma