Splunk Search

Search for Suspicious Logon Behavior

johann2017
Explorer

Hello there. I want to build a query that alerts off when a single source IP or source computer is attempting to logon to multiple computers (Event Code's 4624 and 4625). How can I go about this?

I tried with the query below but its not differentiating single to many logon attempts, it is returning also single to single attempts which is not what I want.

index=windows-logs (EventCode=4624 OR EventCode=4625) src_ip=* src!=10.1.2.23 | top Account_Name, src_ip limit=0 countfield="Total" showperc=f | where Total > 20 | rename src_ip AS "Source IP Performing Remote Login Attempts"

Tags (1)
0 Karma
1 Solution

martynoconnor
Communicator

Something like this?

index=windows-logs (EventCode=4624 OR EventCode=4625) src_ip=* NOT src="10.1.2.23"
| stats dc(host) AS hosts by Account_Name
| where hosts > 20
| rename src_ip AS "Source IP Performing Remote Login Attempts"

View solution in original post

0 Karma

martynoconnor
Communicator

Something like this?

index=windows-logs (EventCode=4624 OR EventCode=4625) src_ip=* NOT src="10.1.2.23"
| stats dc(host) AS hosts by Account_Name
| where hosts > 20
| rename src_ip AS "Source IP Performing Remote Login Attempts"

0 Karma

johann2017
Explorer

Hello Marty. A couple of things I found when doing a test vulnerability scan which would mimic the type of behavior I want to alert on (a single IP scanning multiple IPs). I found the the remote systems attempting to be accessed show up under the field name "dest" and that the source ip of the scanner attempting to connect is under the field name "Source_Network_Address". I modified your sytax below - does it look right because I am getting zero results?

index=windows-logs (EventCode=4624 OR EventCode=4625) Source_Network_Address=* NOT src="10.1.2.23"
| stats dc(dest) AS dest by Source_Network_Address
| where dest > 20

0 Karma

johann2017
Explorer

Actually I had a typo in my index. I think your recommendation will get me going in the right direction. I am going to keep testing with it though. Thanks!!

0 Karma

johann2017
Explorer

@martynoconnor If I wanted to build a similar search - except this time I want to alert off a certain username trying to log on to multiple computers how would I do that? Let's say the usernames I am interested in are Administrator and Root...

0 Karma

martynoconnor
Communicator

If the usernames are important, then add them in as key=value pairs before the first pipe, and then as a second by clause for the stats(dc). Something like this:

index=windows-logs (EventCode=4624 OR EventCode=4625) Source_Network_Address=* NOT src="10.1.2.23" (user=Administrator OR user=root)
| stats dc(dest) AS dest by Source_Network_Address user
| where dest > 20

0 Karma

johann2017
Explorer

You rock that worked too!

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...