Splunk Search

query to return multiple user login attempts from same IP

MattQ
Explorer

Trying to build a query that will return values in the event of multiple userIDs attempting to login from a single IP. (looking for someone from an IP address trying a user list).

Time for the query would/could be an hour or a day. If it could be rolling e.g. From the time X when initial login attempt from IP a.b.c.d for userID 'SAM' occurs - in the next 30 minutes are 2 more attempts to login from same IP a.b.c.d attempted for userID not-equal to 'SAM'

Tags (1)
0 Karma
1 Solution

rtadams89
Contributor

I can think of a few ways to do this depending on what your data looks like and what you plan to do with the results. You could use the "transaction" command to merge events from the same IP. After that, the "login_name" field will have multivalues and you a "... | where mvcount(login_name) > 1 " command to see only events involving multiple login names from the same IP. Alternatively, you could us a "... | stats values(login_name) by IP" to get a tabular output of all the login_names associated with each IP.

View solution in original post

0 Karma

rtadams89
Contributor

I can think of a few ways to do this depending on what your data looks like and what you plan to do with the results. You could use the "transaction" command to merge events from the same IP. After that, the "login_name" field will have multivalues and you a "... | where mvcount(login_name) > 1 " command to see only events involving multiple login names from the same IP. Alternatively, you could us a "... | stats values(login_name) by IP" to get a tabular output of all the login_names associated with each IP.

0 Karma

rtadams89
Contributor

I'm assuming you are trying to find IPs attempting to bruteforce their way into your system. If so, you might want to use "... | stats dc(login_name) by IP | where dc(login_name)>5". This will give you a table of all the IPs that have tried more than 5 login names.

0 Karma

samsingnok
Engager

what should i write if i need to put a time interval of within 30 mins? like ex: bucket span=30m _time(is this correct?)

0 Karma

MattQ
Explorer

Thank you. This works. I knew there was a way, just not creative enough to get there

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...