Problem with this search?
Would the following search detect a malicious user, trying to connect to multiple destinations using a specific username, but only one failed login to each destination? My understanding is that the count against one specific destination would have to be greater than 5 for this to fire an alert.
| tstats `summariesonly` count from datamodel=Authentication where nodename=Authentication.Failed_Authentication by "Authentication.user","Authentication.dest" | rename "Authentication.user" as "user ","Authentication.dest" as "dest" | where 'count'>5
Would it however detect an attack against say, 100 destinations, where there was just 1 failed login against each host? Someone trying to brute force a username 'Administratror' for example and fly under the >5 trigger?
You are correct that it would not detect such an attack. You could set up an additional search (with perhaps a different threshold for triggering) by moving the "by destination" portion of the search, something like this.
| tstats `summariesonly` count list ("Authentication.dest") as "dest" from datamodel=Authentication where nodename=Authentication.Failed_Authentication by "Authentication.user" | rename "Authentication.user" as "user " | where 'count'>10
Thanks for confirming. Much appreciated.
I did try your alternative search but it returned;
Error in 'stats' command: The argument '(Authentication.dest)' is invalid.
I'll play around with it. Thanks again.
Sure. I wondered about that.
Look up the eventSearch value in the search.log for your original tstats search, and see what splunk substituted for "Authentication.dest" . Use that same underlying data model item in the "list() as dest" clause.