Password spraying search

kuriakose · ‎08-23-2021

Hi,

I am attempting to create a search for a password spraying attempt. I need the IP address and Hostname made with the different login names attempted to login to a particular machine within the last 5 min. Also, the number of login attempts should be more than 10.

I created the below search, but that's pulling me wrong data. A sample data am expecting is attached in the screenshot

index=win* EventCode=4625 Logon_Type=3 Target_User_Name!="" src_ip!="-" |bucket span=5m _time
|stats dc(TargetUserName) AS Unique_accounts values(TargetUserName) as tried_accounts by _time, src_ip Source_Workstation |eventstats avg(Unique_accounts) as global_avg, stdev(Unique_accounts) as global_std |eval upperBound=(comp_avg+comp_std*3) |eval isOutlier=if(Unique_accounts>10 and Unique_accounts>=upperBound, 1, 0) |sort -Unique_accounts

Thanks in advance.

ITWhisperer · ‎08-23-2021

comp_avg and comp_std don't exist, you named them global_avg and global_std in the eventstats command

kuriakose · ‎08-23-2021

I made those changes still i am not getting the result what am expecting.

ITWhisperer · ‎08-23-2021

In what way does it differ from what you expected?

Password spraying search

stats

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor