Splunk Search

query to return multiple user login attempts from same IP

MattQ
Explorer

Trying to build a query that will return values in the event of multiple userIDs attempting to login from a single IP. (looking for someone from an IP address trying a user list).

Time for the query would/could be an hour or a day. If it could be rolling e.g. From the time X when initial login attempt from IP a.b.c.d for userID 'SAM' occurs - in the next 30 minutes are 2 more attempts to login from same IP a.b.c.d attempted for userID not-equal to 'SAM'

Tags (1)
0 Karma
1 Solution

rtadams89
Contributor

I can think of a few ways to do this depending on what your data looks like and what you plan to do with the results. You could use the "transaction" command to merge events from the same IP. After that, the "login_name" field will have multivalues and you a "... | where mvcount(login_name) > 1 " command to see only events involving multiple login names from the same IP. Alternatively, you could us a "... | stats values(login_name) by IP" to get a tabular output of all the login_names associated with each IP.

View solution in original post

0 Karma

rtadams89
Contributor

I can think of a few ways to do this depending on what your data looks like and what you plan to do with the results. You could use the "transaction" command to merge events from the same IP. After that, the "login_name" field will have multivalues and you a "... | where mvcount(login_name) > 1 " command to see only events involving multiple login names from the same IP. Alternatively, you could us a "... | stats values(login_name) by IP" to get a tabular output of all the login_names associated with each IP.

0 Karma

rtadams89
Contributor

I'm assuming you are trying to find IPs attempting to bruteforce their way into your system. If so, you might want to use "... | stats dc(login_name) by IP | where dc(login_name)>5". This will give you a table of all the IPs that have tried more than 5 login names.

0 Karma

samsingnok
Engager

what should i write if i need to put a time interval of within 30 mins? like ex: bucket span=30m _time(is this correct?)

0 Karma

MattQ
Explorer

Thank you. This works. I knew there was a way, just not creative enough to get there

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...