Splunk Search
Highlighted

Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

Path Finder

I have the following search and I'm not certain it's producing the correct results. The idea is to use it to detect brute force attempts whereby 1 source device attempts to connect to multiple destinations over a 1 second period making use of the Authentication datamodel, specifically for failed logins.

Current search looks as follows;

| tstats `summariesonly` count from datamodel=Authentication where nodename=Authentication.Failed_Authentication  Authentication.app!="win:unknown" by "Authentication.src","Authentication.dest" | rename "Authentication.src" as "Source_Device" | bucket _time span=1s | stats dc("Authentication.dest") as Destination_Device by Source_Device | where Destination_Device > 20

But I'm not certain it's producing results of failed connections over a period of time, say 30 days, or the results were all failed login attempts carried out over a 1 second period as per the use of the bucket _time span=1s statement. The idea is to make the search into an alert to detect brute force attacks against multiple destinations.

Any thoughts?

Many thanks in advance!

Highlighted

Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

Communicator

Have you looked at the events to confirm you have some instances where there were 20 attempts to different machines from the same source host within the same second?

0 Karma
Highlighted

Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

SplunkTrust
SplunkTrust

Try like this

Updated

| tstats summariesonly values("Authentication.dest") as Destination_Device from datamodel=Authentication where nodename=Authentication.Failed_Authentication Authentication.app!="win:unknown" by "Authentication.src" _time span=1s| rename "Authentication.src" as "Source_Device"  | where Destination_Device > 20

View solution in original post

Highlighted

Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

SplunkTrust
SplunkTrust

Don't you need

...by Source_Device _time ...

in the final stats command?

0 Karma
Highlighted

Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

SplunkTrust
SplunkTrust

Thanks Dal. Yes I do. In fact that gave me an idea to avoid the send stats all together.

0 Karma
Highlighted

Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

Path Finder

so ditch the 'bucket' altogether?

0 Karma
Highlighted

Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

SplunkTrust
SplunkTrust

The bucketing is happening as part of tstats command itself (include _time in the by clause and a span at the end of the tstats).

0 Karma
Highlighted

Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

Path Finder

Ok that makes sense, slightly confused though, is Dal's ...by Source_Device needed as well? And would this go in an additional | stats search?

Sorry, new to Splunk. Slowly getting there.

0 Karma
Highlighted

Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

SplunkTrust
SplunkTrust

In general, you fetch required events in base search (anything before first pipe) and then you aggregate the results using stats/timechart or any other similar command. Whereas, tstats is a special command which let you do both, fetching and aggregation, in the same command itself. Since you were doing a simple stats, with bucketing based on _time, I was able to bundle that as single tstats command. I would check the results (without where clause) first and then add more aggragation, if required.

0 Karma
Highlighted

Re: Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

Path Finder

Awesome. Thanks for your help.

0 Karma