Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search for multiple login attempts from same IP

anomalyfinder
Engager
‎06-11-2021 06:13 AM

Hi,

I try to find out a way to search for login events(bruteforce)were the user comes from one IP address and tries multiple usernames within a set period of time. Do someone have any ideas?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

96nick
Communicator
‎06-11-2021 06:26 AM

Hey, here's a search that was posted to GoSplunk that works pretty well. You may have to change it a bit to match your environment but the foundation is set.

 

sourcetype=windows EventCode=4625 OR EventCode=4624 
 | bin _time span=5m as minute 
 | rex "Security ID:\s*\w*\s*\w*\s*Account Name:\s*(?<username>.*)\s*Account Domain:" 
 | stats count(Keywords) as Attempts,
 count(eval(match(Keywords,"Audit Failure"))) as Failed,
 count(eval(match(Keywords,"Audit Success"))) as Success by minute username
 | where Failed>=4
 | stats dc(username) as Total by minute 
 | where Total>5

 

Here's the link to the GoSplunk query.

View solution in original post

Reply
Solved! Jump to solution
Solution

96nick
Communicator
‎06-11-2021 06:26 AM

Hey, here's a search that was posted to GoSplunk that works pretty well. You may have to change it a bit to match your environment but the foundation is set.

 

sourcetype=windows EventCode=4625 OR EventCode=4624 
 | bin _time span=5m as minute 
 | rex "Security ID:\s*\w*\s*\w*\s*Account Name:\s*(?<username>.*)\s*Account Domain:" 
 | stats count(Keywords) as Attempts,
 count(eval(match(Keywords,"Audit Failure"))) as Failed,
 count(eval(match(Keywords,"Audit Success"))) as Success by minute username
 | where Failed>=4
 | stats dc(username) as Total by minute 
 | where Total>5

 

Here's the link to the GoSplunk query.

Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-11-2021 06:19 AM

@anomalyfinder 

Can you please share some sample events?

KV

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...