Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Would my search detect a malicious user, attempting to connect to multiple destinations, but only one failed login to each destination?

jacqu3sy
Path Finder
‎02-27-2017 02:44 AM

Problem with this search?

Would the following search detect a malicious user, trying to connect to multiple destinations using a specific username, but only one failed login to each destination? My understanding is that the count against one specific destination would have to be greater than 5 for this to fire an alert.

| tstats `summariesonly` count from datamodel=Authentication where nodename=Authentication.Failed_Authentication by "Authentication.user","Authentication.dest"  
| rename "Authentication.user" as "user ","Authentication.dest" as "dest" 
| where 'count'>5

Would it however detect an attack against say, 100 destinations, where there was just 1 failed login against each host? Someone trying to brute force a username 'Administratror' for example and fly under the >5 trigger?

Thanks.

0 Karma
Reply

DalJeanis
Legend
‎02-27-2017 07:49 AM

You are correct that it would not detect such an attack. You could set up an additional search (with perhaps a different threshold for triggering) by moving the "by destination" portion of the search, something like this.

 | tstats `summariesonly` count list ("Authentication.dest") as "dest" from datamodel=Authentication where nodename=Authentication.Failed_Authentication by "Authentication.user"
 | rename "Authentication.user" as "user "
 | where 'count'>10
0 Karma
Reply

jacqu3sy
Path Finder
‎02-27-2017 08:20 AM

Thanks for confirming. Much appreciated.

I did try your alternative search but it returned;
Error in 'stats' command: The argument '(Authentication.dest)' is invalid.

I'll play around with it. Thanks again.

0 Karma
Reply

DalJeanis
Legend
‎02-28-2017 10:13 PM

Sure. I wondered about that.

Look up the eventSearch value in the search.log for your original tstats search, and see what splunk substituted for "Authentication.dest" . Use that same underlying data model item in the "list() as dest" clause.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...