Good morning all! Today my goal is : evaluate suspicious logfail by a criteria (as follow).
If "logfail" on the same host into my network are grater than #15 over a timerange=2mins Im interested to that event. In other words: I want splunk investigates any potentially dangerous login scenario over my network.
I tried to build my search as follow:
defining the perimeter of my search
sourcetype="WinEventLog:Security" tag::eventtype="LOGFAIL" startdaysago=1
|bucket _time span=2m
To evaluate each 2 minutes into previous 24 hours and evaluate if number of LOGFAIL on the same Computer, for each bucket was grater than 5
I would really appreciate if anybody could help me suggesting how to complete that search.
I tried transaction to group ComputerName,LOGFAIL but Im not able to define e "minvalueevents"
Thanks in advance for your time and suggestions.
Bye for now.
p.s.Dear visitor: if this question and\or answers are helpful for your knowledge than let me invite you to vote their answer, in my opinion the easiest way to say them tks for suggestions and help.Bye
I have been working on a similiar search. Here is what I have come up with so far. I try to use the User_Name to give me acount and list all the servers that user touched. One thing I would like to figure out is when the user touches the same server multiple times that it would list it once and give a number behind it for how many times on that server.
Type="Failure Audit" EventCode!="672" EventCode!="673" EventCode!="675" | transaction User_Name host maxpause=5m | stats count , list(host) by User_Name | search count>2 | sort -count
And if you see something I could be doing better, please let me know.
Tks for your suggestions, thall:) As soon as possible I will try to give you my feedback about your search string. Just for now..i suggest you to use eventtypes into your search.For ex.: save as eventtype Type="Failure Audit" EventCode!="672" EventCode!="673" EventCode!="675" and tag it as LOGIN After that you may use, for example tag::eventtype=LOGIN | transaction UserName host maxpause=5m | stats count , list(host) by UserName | search count>2 | sort -count to get the same results ..and, moreover, you ll able to add into that saved eventtype more eventcode as you need, in the future. – nik
If you're interested in treating the two minute periods as fixed fenceposts, then there's a simple answer.
(by this I mean analyzing it as: 4 attempts between 12:02 and 12:04, 7 attempts between 12:04 to 12:06 etc).
If instead you want to deal in rolling 2-minute periods per event, I'll come back to that at the end.
You're right you need to bucket your times, but then you just pipe to stats to count up the number for each host in each time bucket.
sourcetype="WinEventLog:Security" tag::eventtype="LOGFAIL" | bucket _time span=2m | stats count by host _time
and if you want to filter out the entries that didnt meet your threshold you pipe to another search command after that:
sourcetype="WinEventLog:Security" tag::eventtype="LOGFAIL" | bucket _time span=2m | stats count by _time host | search count>15
( If instead you want to be calculating a rolling 2 minute period, then you might want to make use of the 'concurrency' search command which is new in 4.1, and which makes such things slightly easier. You'd have to do "eval duration=2" before the concurrency command, and you probably want to apply some stats logic after it to clean it up but it'll work. )
Thanks so much Nick for your help.
It perfectly works..
Have a good day!