Solved: how to set limit

parthou · ‎06-24-2020

Hello Experts,

I am new to Splunk and trying to build basic queries in Splunk to build use cases. Currently I am working on a query-use case where in I want to list down the users for whom a successful attempt is observed after multiple unsuccessful attempts. For example, after 5 unsuccessful attempt (event code 4625) one successful attempt (event code 4624) is observed.

Any suggestion to achieve this use case will be appreciated.

Thanks in advance.

Parth

gcusello · ‎06-25-2020

Hi @parthou ,

to validate your results you can run each search by itself and manually compare results.

Anyway, in my opinion it seems to be correct.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎06-24-2020

Hi @parthou ,

you're speking of a brute force use case.

you have to create a search to have only the EventCodes you need (4624 and 4625).

I'm usually noy interested to 4624 but only to 4625 so it'e easy run create an elert to run e.g. every 5 minuted and put a threeshold of 10 tries:

index=wineventlog EventCode=4625 earliest=-5m@m latest=now
| stats count
| where count>10

if you want also 4624 you could run something like this:

index=wineventlog (EventCode=4624 OR EventCode=4625) earliest=-5m@m latest=now
| transaction Account_name host startswith="EventCode=4625" endswith="EventCode=4624"
| where linecount>11

but in this second case, you don't trace the cases where there isn't the login.

Ciao.

Giuseppe

parthou · ‎06-24-2020

Hi @gcusello ,

First of all, thank you so much for your prompt response. Here I am not looking for an exact brute force (but yes, kind of) use case. I am looking for something like If user X have performed login failure 5 in 1 hour and then he is doing successful login we should get that info in our dashboard.

Hope this is helpful.

Thanks,

Parth

gcusello · ‎06-24-2020

Hi @parthou ,

you can use my search to put it in a dashboard using table

index=wineventlog (EventCode=4624 OR EventCode=4625) earliest=-5m@m latest=now
| transaction Account_name host startswith="EventCode=4625" endswith="EventCode=4624"
| where linecount>6
| table _time duration Account_name host

or in a time distribution

index=wineventlog (EventCode=4624 OR EventCode=4625) earliest=-5m@m latest=now
| transaction Account_name host startswith="EventCode=4625" endswith="EventCode=4624"
| timechart count BY host

Ciao.

Giuseppe

parthou · ‎06-24-2020

Hi @gcusello ,

could you please try below query :

index="index name" EventCode=4625 sourcetype=WinEventLog
| stats count by host, user
| where count>5
| join type=left host,user
[ search index="infra_it" EventCode=4624 sourcetype=WinEventLog
| stats count as Logged_details by host,user]
| where isnull(Logged_details)

Thanks,

Parth

gcusello · ‎06-24-2020

Hi @parthou ,

it seems to be correct but I cannot test it, does it run in your environment?

Ciao.

Giuseppe

parthou · ‎06-25-2020

Hi @gcusello ,

Yes it gives me some results. But I am not able to validate if it is right or wrong.

Thanks,

Parth

gcusello · ‎06-25-2020

Hi @parthou ,

to validate your results you can run each search by itself and manually compare results.

Anyway, in my opinion it seems to be correct.

Ciao.

Giuseppe

parthou · ‎07-23-2021

thanks and apologies for the delay in the reply.

Thanks,

Parth

how to set limit

count

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

how to set limit

count

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem