Splunk Search

Search for multiple login attempts from same IP

anomalyfinder
Engager

Hi,

I try to find out a way to search for login events(bruteforce)were the user comes from one IP address and tries multiple usernames within a set period of time. Do someone have any ideas?

Labels (1)
0 Karma
1 Solution

96nick
Communicator

Hey, here's a search that was posted to GoSplunk that works pretty well. You may have to change it a bit to match your environment but the foundation is set.

 

sourcetype=windows EventCode=4625 OR EventCode=4624 
 | bin _time span=5m as minute 
 | rex "Security ID:\s*\w*\s*\w*\s*Account Name:\s*(?<username>.*)\s*Account Domain:" 
 | stats count(Keywords) as Attempts,
 count(eval(match(Keywords,"Audit Failure"))) as Failed,
 count(eval(match(Keywords,"Audit Success"))) as Success by minute username
 | where Failed>=4
 | stats dc(username) as Total by minute 
 | where Total>5

 

Here's the link to the GoSplunk query.

View solution in original post

96nick
Communicator

Hey, here's a search that was posted to GoSplunk that works pretty well. You may have to change it a bit to match your environment but the foundation is set.

 

sourcetype=windows EventCode=4625 OR EventCode=4624 
 | bin _time span=5m as minute 
 | rex "Security ID:\s*\w*\s*\w*\s*Account Name:\s*(?<username>.*)\s*Account Domain:" 
 | stats count(Keywords) as Attempts,
 count(eval(match(Keywords,"Audit Failure"))) as Failed,
 count(eval(match(Keywords,"Audit Success"))) as Success by minute username
 | where Failed>=4
 | stats dc(username) as Total by minute 
 | where Total>5

 

Here's the link to the GoSplunk query.

kamlesh_vaghela
SplunkTrust
SplunkTrust

@anomalyfinder 

Can you please share some sample events?

KV

0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...