Splunk Search

In a search, how do I create a table that shows the failed log in attempts for all users from the same system?

AaronMoorcroft
Communicator

Hi Guys,

I was hoping someone could help me out here, I have done some digging but I can't seem to get anything to work for me. What I would like is a search that returns a table showing a failed log in attempts for users all from the same system / ip with a set time of 30 mins between attempts

for example -

User System Failure Reason Time Since last failed logon attempt No of attempts

Adam Smith DC01 Unknown username or password 30 mins 5
Pete Jones DC01 Unknown username or password 30 mins 5
Bob Beckette DC01 Unknown username or password 30 mins 5

Tags (3)
0 Karma

whrg
Motivator

Hi! Have a look at this:

index=* tag=authentication action="failure"
| bucket _time span=30m
| stats dc(user) as count_users values(user) as users by src,_time
| search count_users>10

I made the search CIM-comliant. If you are using the Windows Add-on then the Windows authentication events should be CIM-compliant.

You can also remove the bucket line and instead set the time windows to last 30 minutes.

0 Karma

AaronMoorcroft
Communicator

thank you, ill give it go and feedback 🙂

0 Karma

AaronMoorcroft
Communicator

Hey, that doesnt seem to work for me - this is one of the events -

2/03/2018 03:23:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=DC01.PurpleHaze.local
TaskCategory=Logon
OpCode=Info
RecordNumber=1204537
Keywords=Audit Failure
Message=An account failed to log on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Adam Rogers
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: DC01
Source Network Address: fe80::425:8ae2:c951:d1c8
Source Port: 63891

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

0 Karma

whrg
Motivator

Do you have the Splunk Add-on for Microsoft Windows installed on your search head and indexers?
When you run "index=* EventCode=4625 | head 100 | table _time,tag,action,user,src" then do you see a table with all columns nicely filled out?
Alternatively, replace "user" and "src" with your own fields.
Also, remove the last line "| search count_users>10" for testing purposes.

0 Karma

AaronMoorcroft
Communicator

so index=main EventCode=4625 | head 100 | table _time,tag,action,user,src displays a nice looking table with only the _time column populated

0 Karma

AaronMoorcroft
Communicator

okay, so this populates now - index=main EventCode=4625 | head 150 | table _time,Workstation_Name,Account_Name,Keywords,Failure_Reason

looks like this -

_time Workstation_Name Account_Name Keywords Failure_Reason

2018-12-03 15:53:52 DC01

Archie Pollitt
Audit Failure Unknown user name or bad password.

2018-12-03 15:53:52 DC01

Bernard Hires
Audit Failure Unknown user name or bad password.

2018-12-03 15:53:52 DC01

Serafina Alleman
Audit Failure Unknown user name or bad password.

2018-12-03 15:53:52 DC01

Carmon Summitt
Audit Failure Unknown user name or bad password.

2018-12-03 15:53:52 DC01

Ashly Prophet
Audit Failure Unknown user name or bad password.

2018-12-03 15:53:52 DC01

Treena Mickel
Audit Failure Unknown user name or bad password.

2018-12-03 15:53:52 DC01

Gino Kellar
Audit Failure Unknown user name or bad password.

2018-12-03 15:53:52 DC01

Nina Maddalena
Audit Failure Unknown user name or bad password.

0 Karma

whrg
Motivator

If these are real names in your sample data, you should mask them via ***.

Okay, so either you use these field names (Workstation_Name,Account_Name...) and place them in the search query above or you setup the Windows add-on to have the CIM fields user,src,dest... extracted automatically.

0 Karma

AaronMoorcroft
Communicator

Nah all the info above is fiction, all just test data in a test lab 🙂 ill give it some further time today, thank you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...