Splunk Search

Removing events with duplicate fields from transaction command

dineshp
Explorer

Hi all,
I am writing a query to detect brute force attempts, where the username is different in each request.
index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | stats count by clientip | search count >5 | sort count desc

This is giving me if someone has typed in same username within 2 mins, i want to avoid those. So i want to know if someone tried to login more than 5 times with different usernames from the same IP.

I tried my luck with dedup, but it doesn't seem to be working.
index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | dedup username | stats count by clientip | search count >5 | sort count desc

Thank You

0 Karma

mydog8it
Builder

Pretty sure this will do what you want...

index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | stats dc(clientip) AS "Client IP" values(username) AS "User Name" dc(username) AS "usernames" by clientip | where usernames > 5 | table clientip, "User Name"

0 Karma

knielsen
Contributor

Hi,

I don't have logfiles to recreate your scenario, so I can't test this, but would this work?

index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | stats count as ipcount dc(username) as usercount by clientip | where ipcount>5 AND usercount>5

That would only catch cases where each login was tried with a different username though, perhaps usercount>3 or something would be nice.

Hth,
Kai.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...