Hi Team,
I would like to find out user failed login attempts which are greater than 6 times and those 6 failed login attempts happened within 1hr timestamp even if we keep any time range in time range picker.
eg: user=index="......" source type= "........" user= "abcd113" Event Code=4625
so, on the basis my search criteria let me know how to find out failed attempts within one-hour time stamp which are greater than 6 times from last 30 days or 24 hours or 7 days at any time range.
Hi @90509,
You can do that by simply adding an "hour" field and then hidding it, like this :
user=index="......" source type= "........" user= "abcd113" Event Code=4625
| eval hourDay=strftime(_time,"%y-%m-%d %H:00")
| stats count by user,hourDay
| where count >6
| fields - hourDay
Or use bin
command if your comfortable with that :
user=index="......" source type= "........" user= "abcd113" Event Code=4625
| bin _time span=1h
| stats count by user,_time
| where count >6
| fields - _time
Let me know if that helps.
Cheers,
David
Start here and see if this helps. https://gosplunk.com/detect-username-guessing-brute-force-attacks/
Thanks to All for your support.
Hi @90509, Try this search:
<search to find events, specify index and sorucetype and event code, so...> | bin span=1h _time | stats count by user, _time | where count>6
This query will give user if any has tried failed login more than 6 times in 1 hour of time span.
Hope this helps!!!
Hi @90509,
You can do that by simply adding an "hour" field and then hidding it, like this :
user=index="......" source type= "........" user= "abcd113" Event Code=4625
| eval hourDay=strftime(_time,"%y-%m-%d %H:00")
| stats count by user,hourDay
| where count >6
| fields - hourDay
Or use bin
command if your comfortable with that :
user=index="......" source type= "........" user= "abcd113" Event Code=4625
| bin _time span=1h
| stats count by user,_time
| where count >6
| fields - _time
Let me know if that helps.
Cheers,
David
Thanks David for your great support !!
Please do some assistance The above search working absolutely perfect but I need to fetch only high events data NOT low events data how to add that condition.
how could we know whether the high events are not coming into splunk from which date?
index="......" source type= "........" user= "abcd113" Event Code=4625 OR Event Code=4720 OR Event Code=4722 OR Event Code=4738
| bin _time span=1h
| stats count by user, _time
| where count >6
| fields - _time
here I need to fetch high events data and how find high events are not coming from which date into splunk?
David I need to add fields like Event Code, Timestamp(_time), user, Account_Name, Account_Domain basis on above condition. so , could you please help me how to do it.
sure thing !
You will have to turn the first query :
user=index="......" source type= "........" user= "abcd113" Event Code=4625
| eval hourDay=strftime(_time,"%y-%m-%d %H:00")
| stats count by user,hourDay
| where count >6
| fields - hourDay
Into this :
user=index="......" source type= "........" user= "abcd113" Event Code=4625
| eval hourDay=strftime(_time,"%y-%m-%d %H:00")
| stats count, values(Account_Name) as Account_Name, values(Account_Domain) as Account_Domain, values(Event Code) as Event Code, last(_time) as timestamp by user, hourDay
| where count >6
| fields - hourDay
You can add as many values
field as you want and make sure you're keeping user and hourDay behind the by
.
most welcome ! Please up-vote and accept if it worked for you 🙂