Getting Data In

Successfull brute force loggings

ecanmaster
Explorer

I am looking for successfull brute force logins
basically I am looking for 5 failed logings followed by 1 successfull login
I found the below search and it seems to be working, but it's just counting the fails and success,
there is no time sequence
it isnt looking for the first 5 failed loggings, it counts all the failed and succeefull logings
and then makes a count,
how can I add the time awareness (5 failed loggings followed by 1 successfull within 5 or 10 min)?

action= failed or success (login)
user= userid's
index=* | bucket _time span=30m | stats list(action) as Attempts, count(eval(match(action,"failure"))) as Failed, count(eval(match(action,"success"))) as Success by user | where mvcount(Attempts)>=6 AND Success=1 AND Failed>=5

Tags (1)
0 Karma

alemarzu
Motivator

Hi there @ecanmaster

Perhaps something like this might help you.

earliest=-11min@min latest=-1min@min your_main_search_here action="success"
 | stats count, latest(_time) AS lastLogin by user
 | eval timewindow=lastLogin - 600 
 | map maxsearches=100 search="your_main_search_here action="failure" earliest=$timewindow$ latest=$lastLogin$ user=$user$"
 | stats count, latest(_time) AS "Latest Attempt" by user 
 | convert ctime("Latest Attempt") 
 | rename user AS "Compromised Account", count AS "loginAttempts"
 | where loginAttempts > 4

This should search successful user logins in a 10 min window and if it finds one it goes back in time 10 min to find failed attempts in the last 10 minutes for each user/success login.

Could't tested it, hope it helps.

EDIT: Fixed. Thank you @DalJeanis

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@alemarzu - looks good with one fix and one improvement...

1) latest=-11m@m earliest=-1m@m

2) No need to kill the field count; it gets thrown away at the next command ( map ) anyway.

0 Karma

printul77700
Explorer

hmm,so for each successful login we go and execute?
isn’t more normal to search only when I see a fail, which are not so often as successful logins?
thanks

0 Karma

alemarzu
Motivator

Thank you!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...