Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Tracking Failed logon events over time

maxywalker1
Explorer
‎09-02-2020 06:16 PM

I have been trying to figure out a search that can be used to track failed logon events over time but really struggling to identify a workable solution (if there is one).

My initial search query was

index=wineventlog EventCode=4625 NOT TargetUserName="*$"
| eval User=TargetDomainName."/".TargetUserName
| transaction User EventCode maxspan=1d
| stats values(User) by signature

Reading some other threads indicated that the use of 'transaction' isn't very efficient and to use streamstats or eventstats instead so I came up with 

index=wineventlog EventCode=4625 NOT TargetUserName="*$" 
| eval User=TargetDomainName."/".TargetUserName
| eventstats sum(User) as Failed_Count by signature
| where Failed_Count >=3
| table User signature Failed_Count

however this doesn't give me any results.

My aim is to search over a 7 day period and shows stats per day for each user by the signature. This would help with identifying bad scripts or possible bruteforce attempts including spray attacks over a long period.

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-02-2020 06:55 PM

You can try this

index=wineventlog EventCode=4625 NOT TargetUserName="*$" 
| eval User=TargetDomainName."/".TargetUserName
| bin _time span=1d
| stats count as Failed_Count by _time User signature

which will give you a table of failure counts by day, user and signature. After that you can do what you want to aggregate or filter based on that data. eventstats can be expensive if you have lots of data, so it's always best to aggregate where possible.

It's not totally clear what the output you want is, i.e. do you want to filter failures > =3 of an individual signature over the whole week or failures per user/signature over a day. However, once you have the above table, you can then do more with that, e.g.

| eventstats sum(Failed_Count) as SignatureFailures by signature
| eventstats sum(Failed_Count) as UserFailures by User

this would then sum the failures by signature and user over the time range. You could also add in _time as the by clause to get the daily numbers too.

Note that doing eventstats after the stats will have reduced data volumes due to the aggregation already done in stats.

Hope this helps and gives you more to work with.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-02-2020 06:55 PM

You can try this

index=wineventlog EventCode=4625 NOT TargetUserName="*$" 
| eval User=TargetDomainName."/".TargetUserName
| bin _time span=1d
| stats count as Failed_Count by _time User signature

which will give you a table of failure counts by day, user and signature. After that you can do what you want to aggregate or filter based on that data. eventstats can be expensive if you have lots of data, so it's always best to aggregate where possible.

It's not totally clear what the output you want is, i.e. do you want to filter failures > =3 of an individual signature over the whole week or failures per user/signature over a day. However, once you have the above table, you can then do more with that, e.g.

| eventstats sum(Failed_Count) as SignatureFailures by signature
| eventstats sum(Failed_Count) as UserFailures by User

this would then sum the failures by signature and user over the time range. You could also add in _time as the by clause to get the daily numbers too.

Note that doing eventstats after the stats will have reduced data volumes due to the aggregation already done in stats.

Hope this helps and gives you more to work with.

 

Reply
Solved! Jump to solution

maxywalker1
Explorer
‎09-02-2020 07:25 PM

Thanks for the ideas, I think I am trying to do too much at once, my intention was to map out, possibly look at averaging over time, failed logon attempts by the user and signature per day but that may be biting off more than I (or splunk) can chew in a manner to produce usable results.

I started to separate out the data by the signature field instead, producing several different groups of data/reports that seems to work a bit easier.

index=wineventlog EventCode=4625 NOT TargetUserName="*$" signature="Account is currently disabled"
| bucket _time span=1d
| eval User=TargetDomainName."/".TargetUserName 
| stats count by User src _time
| timechart sum(count) as count by User
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...