I have the following search and I'm not certain it's producing the correct results. The idea is to use it to detect brute force attempts whereby 1 source device attempts to connect to multiple destinations over a 1 second period making use of the Authentication datamodel, specifically for failed logins.
Current search looks as follows;
| tstats `summariesonly` count from datamodel=Authentication where nodename=Authentication.Failed_Authentication Authentication.app!="win:unknown" by "Authentication.src","Authentication.dest" | rename "Authentication.src" as "Source_Device" | bucket _time span=1s | stats dc("Authentication.dest") as Destination_Device by Source_Device | where Destination_Device > 20
But I'm not certain it's producing results of failed connections over a period of time, say 30 days, or the results were all failed login attempts carried out over a 1 second period as per the use of the
bucket _time span=1s statement. The idea is to make the search into an alert to detect brute force attacks against multiple destinations.
Many thanks in advance!
Have you looked at the events to confirm you have some instances where there were 20 attempts to different machines from the same source host within the same second?
Try like this
| tstats summariesonly values("Authentication.dest") as Destination_Device from datamodel=Authentication where nodename=Authentication.Failed_Authentication Authentication.app!="win:unknown" by "Authentication.src" _time span=1s| rename "Authentication.src" as "Source_Device" | where Destination_Device > 20
Don't you need
...by Source_Device _time ...
in the final stats command?
Thanks Dal. Yes I do. In fact that gave me an idea to avoid the send stats all together.
The bucketing is happening as part of tstats command itself (include _time in the by clause and a span at the end of the tstats).
Ok that makes sense, slightly confused though, is Dal's ...by Source_Device needed as well? And would this go in an additional | stats search?
Sorry, new to Splunk. Slowly getting there.
In general, you fetch required events in base search (anything before first pipe) and then you aggregate the results using stats/timechart or any other similar command. Whereas, tstats is a special command which let you do both, fetching and aggregation, in the same command itself. Since you were doing a simple stats, with bucketing based on _time, I was able to bundle that as single tstats command. I would check the results (without where clause) first and then add more aggragation, if required.