Splunk Search

Seeing no results when broadening streamstats search - Concurrent Failed Logins

rquish94
Explorer

Hi All,

I've been working on a search that will give me the Account_Name of someone who has failed to login 6-10 times concurrently. I'm running into an issue where i'm seeing the accurate results when specifying 1-2 Account_Names in the query. When i try to open it up to any Account_Name i'm getting no results returned. Im dealing with a very large sourcetype and im wondering if there might be some kind of streamstats limit being reached preventing results? I'm not too familiar with the streamstats command but believe im using it correctly judging by the refined search and accurate results.

My ultimate goal would be to incorporate the concurrent count into the last query listed below.   

Any advice/help would be appreciated. 

Search Returning Results (Accurate):

| from datamodel:Authentication | search sourcetype="graylogwindows:Security" (EventCode=4624 OR EventCode=4625) (Account_Name=User1 OR Account_Name=User2) NOT (Account_Name="*$" OR Account_Name="HealthMailbox*")
| eval LoginAttemptResult=if((action="failure" OR EventCode=4625), "FAILED", "SUCCESSFUL")
| streamstats count(eval(LoginAttemptResult="FAILED")) AS ConcurrentFailed BY Account_Name reset_before=signature_id=4624 reset_after=signature_id=4624
| where ConcurrentFailed >= 6 AND ConcurrentFailed <= 10
| sort Account_Name _time
|table Workstation_Name,_time,signature,signature_id,Account_Name,ConcurrentFailed

Search Returning Nothing:

| from datamodel:Authentication | search sourcetype="graylogwindows:Security" (EventCode=4624 OR EventCode=4625) NOT (Account_Name="*$" OR Account_Name="HealthMailbox*")
| eval LoginAttemptResult=if((action="failure" OR EventCode=4625), "FAILED", "SUCCESSFUL")
| streamstats count(eval(LoginAttemptResult="FAILED")) AS ConcurrentFailed BY Account_Name reset_before=signature_id=4624 reset_after=signature_id=4624
| where ConcurrentFailed >= 6 AND ConcurrentFailed <= 10
|table Workstation_Name,_time,signature,signature_id,Account_Name,ConcurrentFailed
| sort Account_Name _time

 

Ultimate goal to get functioning (everything functioning other than streamstats "Failure_Count"):
| from datamodel:Authentication | search sourcetype="graylogwindows:Security" (EventCode=4624 OR EventCode=4625) NOT (Account_Name="*$" OR Account_Name="HealthMailbox*")
| reverse
| streamstats count(EventCode) as "Failure_Count" BY Account_Name reset_after=EventCode="4624" reset_before=EventCode="4624"
| stats count(Keywords) as Attempts, count(eval(match(Keywords,"Audit Failure"))) as Failed,
count(eval(match(Keywords,"Audit Success"))) as Success, values(Failure_Count) as "Failure_Count_Values" by Account_Name
| where Attempts>=1 AND Success>=1 AND Failed>=6 AND Failure_Count_Values > 6....

Labels (2)
0 Karma

thambisetty
SplunkTrust
SplunkTrust

I have recently done a video explaining the same usecase using stremstats.

have a look at below:

https://youtu.be/xzgFTqSFx7w

————————————
If this helps, give a like below.

rquish94
Explorer

Hey Thambisetty,

I definitely see how this could get me the concurrent count i'm looking for. I do have two problems when going this route though:

1: The dataset im looking over is large enough where i'd need to convert the |stats to a |tstats looking over a datamodel. When using Tstats i run into the issue that time can't be spanned or separated less than a second, therefore some of these events are getting grouped together, skewing the results. I'll have to unaccelerate our DM and add the unique field "id" to potentially add it to the query, making every event unique. (attached photo showing events being grouped)

2: Although this could give the concurrent failed login count prior to the first successful logon, im not sure if it resets its count on logon success. (what if there are another 5 failed logins in a row prior to another successful login?). I've tested adding reset_before and reset_after to the first streamstats but am still having issues confirming accuracy due to the tstats issue above.

My version of your query where results are being grouped:

| tstats count from datamodel=Authentication where sourcetype="graylogwindows:Security" (Authentication.EventCode=4624 OR Authentication.EventCode=4625) Authentication.Account_Name="Sample_Account" by _time span=1s Authentication.Account_Name Authentication.Keywords Authentication.signature_id Authentication.EventCode
| sort _time
| streamstats global=true count as "sscount" current=false by Authentication.Account_Name Authentication.Keywords
| streamstats global=true current=false last(sscount) as last_count last(Authentication.Keywords) as last_action by Authentication.Account_Name

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I don't know how much of a difference it will make, but the reset_before and reset_after arguments need to be within parens.

streamstats count(EventCode) as "Failure_Count" BY Account_Name reset_after=(EventCode="4624") reset_before=(EventCode="4624")

 

---
If this reply helps you, Karma would be appreciated.

rquish94
Explorer

Hey Richgalloway,

I appreciate the syntax advise. I've changed it so both resets in all my queries are within parentheses. Unfortunately im not seeing any difference in results with the change. As i broaden my results to more than specified Account_Names i either get inaccurate data or no results.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...