Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help writing query to alert if an account has failed to authenticate to the same Windows server 3 times, followed by a successful logon (same account, same host) in a period of 10 minutes

kfettig
Explorer
‎06-07-2018 10:40 AM

Hello, everyone -

I'm a complete n00b to Splunk and am in need of some direction and help. I need to write a query to alert when an account fails to authenticate to the same Windows server 5 times, followed by a successful logon, within a 10 minute span.

I've read and experimented so much that it's all starting to be nonsensical.
Any help writing this query is much appreciated.

Warm regards,

Kristen

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kfettig
Explorer
‎06-13-2018 10:13 AM

Hi again,

Below is the query that I eventually came up with. I needed it to only fire an alert if a user+host combination had a certain number of failed logon attempts followed by a successful event within 10 minutes. Another thing I noticed is that event ID 4625 can also be logged in the Application log (I don't recall what logs it), and that Windows 2008R2 and Windows 2012R2 call the name of the file different names: Logfile and LogName, hence that addition to the beginning of the query. Hope this is helpful to someone else.

("Logfile=Security" OR "LogName=Security") AND (EventCode=4625 OR EventCode=4624) | eval username=mvindex(Account_Name, 1) | streamstats count(eval(match(EventCode, "4625"))) as Failed, count(eval(match(EventCode, "4624"))) as Success reset_on_change=true by username | eval alert=if(Failed>3, "yes", "no") |  where Failed > 3 | eval newname=username, newhost=host | where (Success > 1 AND host=newhost AND username=newname) | eval end_alert="YES" | table _time, username, host, Failed, Success, alert, newname, newhost, end_alert

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kfettig
Explorer
‎06-13-2018 10:13 AM

Hi again,

Below is the query that I eventually came up with. I needed it to only fire an alert if a user+host combination had a certain number of failed logon attempts followed by a successful event within 10 minutes. Another thing I noticed is that event ID 4625 can also be logged in the Application log (I don't recall what logs it), and that Windows 2008R2 and Windows 2012R2 call the name of the file different names: Logfile and LogName, hence that addition to the beginning of the query. Hope this is helpful to someone else.

("Logfile=Security" OR "LogName=Security") AND (EventCode=4625 OR EventCode=4624) | eval username=mvindex(Account_Name, 1) | streamstats count(eval(match(EventCode, "4625"))) as Failed, count(eval(match(EventCode, "4624"))) as Success reset_on_change=true by username | eval alert=if(Failed>3, "yes", "no") |  where Failed > 3 | eval newname=username, newhost=host | where (Success > 1 AND host=newhost AND username=newname) | eval end_alert="YES" | table _time, username, host, Failed, Success, alert, newname, newhost, end_alert
0 Karma
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎06-07-2018 01:45 PM

Here is a Brute Force Detection search from the Security Essentials app (free on Splunkbase). I recommend downloading this app since it has hundreds of Security related use cases with SPL code. This example assumes the data source is Windows Security logs and I had to tweak it based on your requirements.

sourcetype="WinEventLog:Security" Account_Name=* 
| bucket _time span=10m 
| stats count(eval(action="success")) as successes count(eval(action="failure")) as failures by Account_Name dest _time 
| where successes>0 AND failures>5
0 Karma
Reply
Solved! Jump to solution

kfettig
Explorer
‎06-08-2018 09:24 AM

Ok, I've tried the query as-is. It's returning results, but I need help to narrow it down even more. As it is written, it's just looking for the word "success" and the word "failure" and counting them up. I only want to track situations where there is more than one failed logon from the same account name on the same host in 10 minutes, and if there are >5 failed attempts from the same account name on the same host, look for a successful logon from that account name on that host. If that successful logon is found, send an alert. The specific event IDs in question are 4624 (successful logon), 4625 (failed logon), and 4776 (NTLM successful and failed).
Does this make sense? I don't have any code to post yet since I'm stuck at the gate. Again, any and all help is much appreciated.

0 Karma
Reply
Solved! Jump to solution

kfettig
Explorer
‎06-08-2018 07:15 AM

Hi kmorris,

Thank you for getting back to me so quickly. I appreciate your time. It doesn't work as-is, but definitely points me in the right direction.
Thank you also for recommending the Security Essentials. I hadn't heard of that before.
I'm going to play with your query now. I'm sure I will need your help again at some point, but then I'll at least have some SPL for you.

Warm regards,
Kristen

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...