Alerting

Need help writing query to alert if an account has failed to authenticate to the same Windows server 3 times, followed by a successful logon (same account, same host) in a period of 10 minutes

kfettig
Explorer

Hello, everyone -

I'm a complete n00b to Splunk and am in need of some direction and help. I need to write a query to alert when an account fails to authenticate to the same Windows server 5 times, followed by a successful logon, within a 10 minute span.

I've read and experimented so much that it's all starting to be nonsensical.
Any help writing this query is much appreciated.

Warm regards,

Kristen

Tags (1)
0 Karma
1 Solution

kfettig
Explorer

Hi again,

Below is the query that I eventually came up with. I needed it to only fire an alert if a user+host combination had a certain number of failed logon attempts followed by a successful event within 10 minutes. Another thing I noticed is that event ID 4625 can also be logged in the Application log (I don't recall what logs it), and that Windows 2008R2 and Windows 2012R2 call the name of the file different names: Logfile and LogName, hence that addition to the beginning of the query. Hope this is helpful to someone else.

("Logfile=Security" OR "LogName=Security") AND (EventCode=4625 OR EventCode=4624) | eval username=mvindex(Account_Name, 1) | streamstats count(eval(match(EventCode, "4625"))) as Failed, count(eval(match(EventCode, "4624"))) as Success reset_on_change=true by username | eval alert=if(Failed>3, "yes", "no") |  where Failed > 3 | eval newname=username, newhost=host | where (Success > 1 AND host=newhost AND username=newname) | eval end_alert="YES" | table _time, username, host, Failed, Success, alert, newname, newhost, end_alert

View solution in original post

0 Karma

kfettig
Explorer

Hi again,

Below is the query that I eventually came up with. I needed it to only fire an alert if a user+host combination had a certain number of failed logon attempts followed by a successful event within 10 minutes. Another thing I noticed is that event ID 4625 can also be logged in the Application log (I don't recall what logs it), and that Windows 2008R2 and Windows 2012R2 call the name of the file different names: Logfile and LogName, hence that addition to the beginning of the query. Hope this is helpful to someone else.

("Logfile=Security" OR "LogName=Security") AND (EventCode=4625 OR EventCode=4624) | eval username=mvindex(Account_Name, 1) | streamstats count(eval(match(EventCode, "4625"))) as Failed, count(eval(match(EventCode, "4624"))) as Success reset_on_change=true by username | eval alert=if(Failed>3, "yes", "no") |  where Failed > 3 | eval newname=username, newhost=host | where (Success > 1 AND host=newhost AND username=newname) | eval end_alert="YES" | table _time, username, host, Failed, Success, alert, newname, newhost, end_alert

View solution in original post

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Here is a Brute Force Detection search from the Security Essentials app (free on Splunkbase). I recommend downloading this app since it has hundreds of Security related use cases with SPL code. This example assumes the data source is Windows Security logs and I had to tweak it based on your requirements.

sourcetype="WinEventLog:Security" Account_Name=* 
| bucket _time span=10m 
| stats count(eval(action="success")) as successes count(eval(action="failure")) as failures by Account_Name dest _time 
| where successes>0 AND failures>5
0 Karma

kfettig
Explorer

Ok, I've tried the query as-is. It's returning results, but I need help to narrow it down even more. As it is written, it's just looking for the word "success" and the word "failure" and counting them up. I only want to track situations where there is more than one failed logon from the same account name on the same host in 10 minutes, and if there are >5 failed attempts from the same account name on the same host, look for a successful logon from that account name on that host. If that successful logon is found, send an alert. The specific event IDs in question are 4624 (successful logon), 4625 (failed logon), and 4776 (NTLM successful and failed).
Does this make sense? I don't have any code to post yet since I'm stuck at the gate. Again, any and all help is much appreciated.

0 Karma

kfettig
Explorer

Hi kmorris,

Thank you for getting back to me so quickly. I appreciate your time. It doesn't work as-is, but definitely points me in the right direction.
Thank you also for recommending the Security Essentials. I hadn't heard of that before.
I'm going to play with your query now. I'm sure I will need your help again at some point, but then I'll at least have some SPL for you.

Warm regards,
Kristen

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!