Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Would my search detect a malicious user, attempting to connect to multiple destinations, but only one failed login to each destination?

jacqu3sy
Path Finder
‎02-27-2017 02:44 AM

Problem with this search?

Would the following search detect a malicious user, trying to connect to multiple destinations using a specific username, but only one failed login to each destination? My understanding is that the count against one specific destination would have to be greater than 5 for this to fire an alert.

| tstats `summariesonly` count from datamodel=Authentication where nodename=Authentication.Failed_Authentication by "Authentication.user","Authentication.dest"  
| rename "Authentication.user" as "user ","Authentication.dest" as "dest" 
| where 'count'>5

Would it however detect an attack against say, 100 destinations, where there was just 1 failed login against each host? Someone trying to brute force a username 'Administratror' for example and fly under the >5 trigger?

Thanks.

0 Karma
Reply

DalJeanis
Legend
‎02-27-2017 07:49 AM

You are correct that it would not detect such an attack. You could set up an additional search (with perhaps a different threshold for triggering) by moving the "by destination" portion of the search, something like this.

 | tstats `summariesonly` count list ("Authentication.dest") as "dest" from datamodel=Authentication where nodename=Authentication.Failed_Authentication by "Authentication.user"
 | rename "Authentication.user" as "user "
 | where 'count'>10
0 Karma
Reply

jacqu3sy
Path Finder
‎02-27-2017 08:20 AM

Thanks for confirming. Much appreciated.

I did try your alternative search but it returned;
Error in 'stats' command: The argument '(Authentication.dest)' is invalid.

I'll play around with it. Thanks again.

0 Karma
Reply

DalJeanis
Legend
‎02-28-2017 10:13 PM

Sure. I wondered about that.

Look up the eventSearch value in the search.log for your original tstats search, and see what splunk substituted for "Authentication.dest" . Use that same underlying data model item in the "list() as dest" clause.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...