Hi Guys,
I was hoping someone could help me out here, I have done some digging but I can't seem to get anything to work for me. What I would like is a search that returns a table showing a failed log in attempts for users all from the same system / ip with a set time of 30 mins between attempts
for example -
User System Failure Reason Time Since last failed logon attempt No of attempts
Adam Smith DC01 Unknown username or password 30 mins 5
Pete Jones DC01 Unknown username or password 30 mins 5
Bob Beckette DC01 Unknown username or password 30 mins 5
Hi! Have a look at this:
index=* tag=authentication action="failure"
| bucket _time span=30m
| stats dc(user) as count_users values(user) as users by src,_time
| search count_users>10
I made the search CIM-comliant. If you are using the Windows Add-on then the Windows authentication events should be CIM-compliant.
You can also remove the bucket line and instead set the time windows to last 30 minutes.
thank you, ill give it go and feedback 🙂
Hey, that doesnt seem to work for me - this is one of the events -
2/03/2018 03:23:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=DC01.PurpleHaze.local
TaskCategory=Logon
OpCode=Info
RecordNumber=1204537
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Adam Rogers
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: DC01
Source Network Address: fe80::425:8ae2:c951:d1c8
Source Port: 63891
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Do you have the Splunk Add-on for Microsoft Windows installed on your search head and indexers?
When you run "index=* EventCode=4625 | head 100 | table _time,tag,action,user,src" then do you see a table with all columns nicely filled out?
Alternatively, replace "user" and "src" with your own fields.
Also, remove the last line "| search count_users>10" for testing purposes.
so index=main EventCode=4625 | head 100 | table _time,tag,action,user,src displays a nice looking table with only the _time column populated
okay, so this populates now - index=main EventCode=4625 | head 150 | table _time,Workstation_Name,Account_Name,Keywords,Failure_Reason
looks like this -
_time Workstation_Name Account_Name Keywords Failure_Reason
Archie Pollitt
Audit Failure Unknown user name or bad password.
Bernard Hires
Audit Failure Unknown user name or bad password.
Serafina Alleman
Audit Failure Unknown user name or bad password.
Carmon Summitt
Audit Failure Unknown user name or bad password.
Ashly Prophet
Audit Failure Unknown user name or bad password.
Treena Mickel
Audit Failure Unknown user name or bad password.
Gino Kellar
Audit Failure Unknown user name or bad password.
Nina Maddalena
Audit Failure Unknown user name or bad password.
If these are real names in your sample data, you should mask them via ***.
Okay, so either you use these field names (Workstation_Name,Account_Name...) and place them in the search query above or you setup the Windows add-on to have the CIM fields user,src,dest... extracted automatically.
Nah all the info above is fiction, all just test data in a test lab 🙂 ill give it some further time today, thank you.