Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Statistical analysis of failed logins

maxywalker1
Explorer
‎07-07-2020 08:29 PM

I have been trying to look at statistical figures for failed login attempts over a 30 day period for each user by the hostname. I can get a table showing every failed attempt but want to condense that down to show a total count of failed attempts and an avg/day, my thinking being that it could be useful to identify attempts to do slow brute forcing from credential stuffing attacks.

This is what I have tried so far:

index=wineventlog EventCode=4625
| search signature="User name is correct but the password is wrong"
| eventstats count(TargetUserName) by hostname as Total_Count
| eventstats avg(Total_Count) as Avg_Count
| table TargetUserName, hostname, Total_Count, Avg_Count
| sort TargetUserName

but this ends up giving me the username and hostname but the total and avg fields are blank.

Any ideas on how to do this better?

 

Thanks,

Maxy

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎07-07-2020 09:15 PM

If you are searching a 30 day window then you would want something like this

index=wineventlog EventCode=4625 signature="User name is correct but the password is wrong"
| bin _time span=1d
| stats count by _time, TargetUserName hostname 
| eventstats avg(count) as Avg_Count sum(count) as Total_Count by _time
| table TargetUserName, hostname, Total_Count, Avg_Count
| sort TargetUserName

However it's not clear if your total is the total of all across the entire time range or the total per day or the total per user per day or total per  user/host per day.

But essentially the above is creating a daily bucket (bin command) and the getting the count by day/user/host and then getting average per day and total per day.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎07-07-2020 09:15 PM

If you are searching a 30 day window then you would want something like this

index=wineventlog EventCode=4625 signature="User name is correct but the password is wrong"
| bin _time span=1d
| stats count by _time, TargetUserName hostname 
| eventstats avg(count) as Avg_Count sum(count) as Total_Count by _time
| table TargetUserName, hostname, Total_Count, Avg_Count
| sort TargetUserName

However it's not clear if your total is the total of all across the entire time range or the total per day or the total per user per day or total per  user/host per day.

But essentially the above is creating a daily bucket (bin command) and the getting the count by day/user/host and then getting average per day and total per day.

 

Reply
Solved! Jump to solution

maxywalker1
Explorer
‎07-08-2020 01:29 PM

Thanks heaps, that worked perfectly, still need to get my head around some of these commands and how to put them all together.

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎07-07-2020 09:17 PM

but what you might want to do is rather than search the 30 days every time you search, is to create a saved search that runs every night that just collects the daily totals to a summary index and then to run the search on the summary index, which would be much faster.

 

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎07-07-2020 09:00 PM

@maxywalker1,

Are you looking for something similar to ?

index=wineventlog EventCode=4625
| search signature="User name is correct but the password is wrong"
| bucket span=1d _time
| stats count by TargetUserName,hostname,_time
| eventstats sum(count) as total,avg(count) as avg by _time
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...