Splunk Search

query to return multiple user login attempts from same IP

MattQ
Explorer

Trying to build a query that will return values in the event of multiple userIDs attempting to login from a single IP. (looking for someone from an IP address trying a user list).

Time for the query would/could be an hour or a day. If it could be rolling e.g. From the time X when initial login attempt from IP a.b.c.d for userID 'SAM' occurs - in the next 30 minutes are 2 more attempts to login from same IP a.b.c.d attempted for userID not-equal to 'SAM'

Tags (1)
0 Karma
1 Solution

rtadams89
Contributor

I can think of a few ways to do this depending on what your data looks like and what you plan to do with the results. You could use the "transaction" command to merge events from the same IP. After that, the "login_name" field will have multivalues and you a "... | where mvcount(login_name) > 1 " command to see only events involving multiple login names from the same IP. Alternatively, you could us a "... | stats values(login_name) by IP" to get a tabular output of all the login_names associated with each IP.

View solution in original post

0 Karma

rtadams89
Contributor

I can think of a few ways to do this depending on what your data looks like and what you plan to do with the results. You could use the "transaction" command to merge events from the same IP. After that, the "login_name" field will have multivalues and you a "... | where mvcount(login_name) > 1 " command to see only events involving multiple login names from the same IP. Alternatively, you could us a "... | stats values(login_name) by IP" to get a tabular output of all the login_names associated with each IP.

0 Karma

rtadams89
Contributor

I'm assuming you are trying to find IPs attempting to bruteforce their way into your system. If so, you might want to use "... | stats dc(login_name) by IP | where dc(login_name)>5". This will give you a table of all the IPs that have tried more than 5 login names.

0 Karma

samsingnok
Engager

what should i write if i need to put a time interval of within 30 mins? like ex: bucket span=30m _time(is this correct?)

0 Karma

MattQ
Explorer

Thank you. This works. I knew there was a way, just not creative enough to get there

0 Karma
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...