Splunk Search
Highlighted

Would my search detect a malicious user, attempting to connect to multiple destinations, but only one failed login to each destination?

Path Finder

Problem with this search?

Would the following search detect a malicious user, trying to connect to multiple destinations using a specific username, but only one failed login to each destination? My understanding is that the count against one specific destination would have to be greater than 5 for this to fire an alert.

| tstats `summariesonly` count from datamodel=Authentication where nodename=Authentication.Failed_Authentication by "Authentication.user","Authentication.dest"  
| rename "Authentication.user" as "user ","Authentication.dest" as "dest" 
| where 'count'>5

Would it however detect an attack against say, 100 destinations, where there was just 1 failed login against each host? Someone trying to brute force a username 'Administratror' for example and fly under the >5 trigger?

Thanks.

0 Karma
Highlighted

Re: Would my search detect a malicious user, attempting to connect to multiple destinations, but only one failed login to each destination?

SplunkTrust
SplunkTrust

You are correct that it would not detect such an attack. You could set up an additional search (with perhaps a different threshold for triggering) by moving the "by destination" portion of the search, something like this.

 | tstats `summariesonly` count list ("Authentication.dest") as "dest" from datamodel=Authentication where nodename=Authentication.Failed_Authentication by "Authentication.user"
 | rename "Authentication.user" as "user "
 | where 'count'>10
0 Karma
Highlighted

Re: Would my search detect a malicious user, attempting to connect to multiple destinations, but only one failed login to each destination?

Path Finder

Thanks for confirming. Much appreciated.

I did try your alternative search but it returned;
Error in 'stats' command: The argument '(Authentication.dest)' is invalid.

I'll play around with it. Thanks again.

0 Karma
Highlighted

Re: Would my search detect a malicious user, attempting to connect to multiple destinations, but only one failed login to each destination?

SplunkTrust
SplunkTrust

Sure. I wondered about that.

Look up the eventSearch value in the search.log for your original tstats search, and see what splunk substituted for "Authentication.dest" . Use that same underlying data model item in the "list() as dest" clause.

0 Karma