Splunk Search

In a search, how do I create a table that shows the failed log in attempts for all users from the same system?

AaronMoorcroft
Communicator

Hi Guys,

I was hoping someone could help me out here, I have done some digging but I can't seem to get anything to work for me. What I would like is a search that returns a table showing a failed log in attempts for users all from the same system / ip with a set time of 30 mins between attempts

for example -

User System Failure Reason Time Since last failed logon attempt No of attempts

Adam Smith DC01 Unknown username or password 30 mins 5
Pete Jones DC01 Unknown username or password 30 mins 5
Bob Beckette DC01 Unknown username or password 30 mins 5

Tags (3)
0 Karma

whrg
Motivator

Hi! Have a look at this:

index=* tag=authentication action="failure"
| bucket _time span=30m
| stats dc(user) as count_users values(user) as users by src,_time
| search count_users>10

I made the search CIM-comliant. If you are using the Windows Add-on then the Windows authentication events should be CIM-compliant.

You can also remove the bucket line and instead set the time windows to last 30 minutes.

0 Karma

AaronMoorcroft
Communicator

thank you, ill give it go and feedback 🙂

0 Karma

AaronMoorcroft
Communicator

Hey, that doesnt seem to work for me - this is one of the events -

2/03/2018 03:23:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=DC01.PurpleHaze.local
TaskCategory=Logon
OpCode=Info
RecordNumber=1204537
Keywords=Audit Failure
Message=An account failed to log on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Adam Rogers
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: DC01
Source Network Address: fe80::425:8ae2:c951:d1c8
Source Port: 63891

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

0 Karma

whrg
Motivator

Do you have the Splunk Add-on for Microsoft Windows installed on your search head and indexers?
When you run "index=* EventCode=4625 | head 100 | table _time,tag,action,user,src" then do you see a table with all columns nicely filled out?
Alternatively, replace "user" and "src" with your own fields.
Also, remove the last line "| search count_users>10" for testing purposes.

0 Karma

AaronMoorcroft
Communicator

so index=main EventCode=4625 | head 100 | table _time,tag,action,user,src displays a nice looking table with only the _time column populated

0 Karma

AaronMoorcroft
Communicator

okay, so this populates now - index=main EventCode=4625 | head 150 | table _time,Workstation_Name,Account_Name,Keywords,Failure_Reason

looks like this -

_time Workstation_Name Account_Name Keywords Failure_Reason

2018-12-03 15:53:52 DC01

Archie Pollitt
Audit Failure Unknown user name or bad password.

2018-12-03 15:53:52 DC01

Bernard Hires
Audit Failure Unknown user name or bad password.

2018-12-03 15:53:52 DC01

Serafina Alleman
Audit Failure Unknown user name or bad password.

2018-12-03 15:53:52 DC01

Carmon Summitt
Audit Failure Unknown user name or bad password.

2018-12-03 15:53:52 DC01

Ashly Prophet
Audit Failure Unknown user name or bad password.

2018-12-03 15:53:52 DC01

Treena Mickel
Audit Failure Unknown user name or bad password.

2018-12-03 15:53:52 DC01

Gino Kellar
Audit Failure Unknown user name or bad password.

2018-12-03 15:53:52 DC01

Nina Maddalena
Audit Failure Unknown user name or bad password.

0 Karma

whrg
Motivator

If these are real names in your sample data, you should mask them via ***.

Okay, so either you use these field names (Workstation_Name,Account_Name...) and place them in the search query above or you setup the Windows add-on to have the CIM fields user,src,dest... extracted automatically.

0 Karma

AaronMoorcroft
Communicator

Nah all the info above is fiction, all just test data in a test lab 🙂 ill give it some further time today, thank you.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...