Splunk Search
Highlighted

Identifying Authentication Irregularities

Explorer

I've been tasked with searching for authentication irregularities and I am fairly new to splunk. Authentication irregularities is fairly broad and so I am wondering if the splunk community has any suggestions! Thanks in advance. And if you were wondering, yes I have read the manual already.

0 Karma
Highlighted

Re: Identifying Authentication Irregularities

Splunk Employee
Splunk Employee

Here are a couple of examples. Searches are sometimes specific to certain data or field extractions, so you probably won't get too many that will just work right off the bat for you, but these should give you some ideas.

For SSH logins: show me cases where there were at least 6 failed logins followed by a successful login (i.e. possible brute force login attack)

"failed password" OR "accepted password" | stats list(sshd_action) as list by host, user | eval list = mvjoin(list, " ") | eval alert = if(match(list, "Accepted (?:Failed\s?){6,}"), "True", "False") | where alert == "True"

Nice for a chart of the count of failed logins per user vs. the avg number of failed logins per user

(failed password) OR (logon failed) | stats count by user, host | eventstats avg(count) as avg | fields user, avg, count
Highlighted

Re: Identifying Authentication Irregularities

Explorer

MW thanks so much, I am pretty new to Splunk this really helped.

0 Karma
Highlighted

Re: Identifying Authentication Irregularities

Motivator

MV,

Running the chart of the count of failed logins per user vs. the avg number of failed logins per user search query, but I'm getting the same output in the average column for every user. Is that correct?

I'm seeing the following:

USER AVG COUNT
UserA 1.208333 3

UserB 1.208333 2
UserC 1.208333 1
etc

Thx

0 Karma