Splunk Search

Removing events with duplicate fields from transaction command

Explorer

Hi all,
I am writing a query to detect brute force attempts, where the username is different in each request.
index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | stats count by clientip | search count >5 | sort count desc

This is giving me if someone has typed in same username within 2 mins, i want to avoid those. So i want to know if someone tried to login more than 5 times with different usernames from the same IP.

I tried my luck with dedup, but it doesn't seem to be working.
index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | dedup username | stats count by clientip | search count >5 | sort count desc

Thank You

0 Karma

Builder

Pretty sure this will do what you want...

index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | stats dc(clientip) AS "Client IP" values(username) AS "User Name" dc(username) AS "usernames" by clientip | where usernames > 5 | table clientip, "User Name"

0 Karma

Contributor

Hi,

I don't have logfiles to recreate your scenario, so I can't test this, but would this work?

index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | stats count as ipcount dc(username) as usercount by clientip | where ipcount>5 AND usercount>5

That would only catch cases where each login was tried with a different username though, perhaps usercount>3 or something would be nice.

Hth,
Kai.

0 Karma