- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Query for Suspicious Logon Behavior
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello there. I want to build a query that alerts off when a single source IP or source computer is attempting to logon to multiple computers (Event Code's 4624 and 4625). How can I go about this?
I tried with the query below but its not differentiating single to many logon attempts, it is returning also single to single attempts which is not what I want.
index=windows-logs (EventCode=4624 OR EventCode=4625) src_ip=* src!=10.1.2.23 | top Account_Name, src_ip limit=0 countfield="Total" showperc=f | where Total > 20 | rename src_ip AS "Source IP Performing Remote Login Attempts"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something like this?
index=windows-logs (EventCode=4624 OR EventCode=4625) src_ip=* NOT src="10.1.2.23"
| stats dc(host) AS hosts by Account_Name
| where hosts > 20
| rename src_ip AS "Source IP Performing Remote Login Attempts"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something like this?
index=windows-logs (EventCode=4624 OR EventCode=4625) src_ip=* NOT src="10.1.2.23"
| stats dc(host) AS hosts by Account_Name
| where hosts > 20
| rename src_ip AS "Source IP Performing Remote Login Attempts"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Marty. A couple of things I found when doing a test vulnerability scan which would mimic the type of behavior I want to alert on (a single IP scanning multiple IPs). I found the the remote systems attempting to be accessed show up under the field name "dest" and that the source ip of the scanner attempting to connect is under the field name "Source_Network_Address". I modified your sytax below - does it look right because I am getting zero results?
index=windows-logs (EventCode=4624 OR EventCode=4625) Source_Network_Address=* NOT src="10.1.2.23"
| stats dc(dest) AS dest by Source_Network_Address
| where dest > 20
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually I had a typo in my index. I think your recommendation will get me going in the right direction. I am going to keep testing with it though. Thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@martynoconnor If I wanted to build a similar search - except this time I want to alert off a certain username trying to log on to multiple computers how would I do that? Let's say the usernames I am interested in are Administrator and Root...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the usernames are important, then add them in as key=value pairs before the first pipe, and then as a second by clause for the stats(dc). Something like this:
index=windows-logs (EventCode=4624 OR EventCode=4625) Source_Network_Address=* NOT src="10.1.2.23" (user=Administrator OR user=root)
| stats dc(dest) AS dest by Source_Network_Address user
| where dest > 20
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You rock that worked too!
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
