Splunk Search

query to return multiple user login attempts from same IP

MattQ
Explorer

Trying to build a query that will return values in the event of multiple userIDs attempting to login from a single IP. (looking for someone from an IP address trying a user list).

Time for the query would/could be an hour or a day. If it could be rolling e.g. From the time X when initial login attempt from IP a.b.c.d for userID 'SAM' occurs - in the next 30 minutes are 2 more attempts to login from same IP a.b.c.d attempted for userID not-equal to 'SAM'

Tags (1)
0 Karma
1 Solution

rtadams89
Contributor

I can think of a few ways to do this depending on what your data looks like and what you plan to do with the results. You could use the "transaction" command to merge events from the same IP. After that, the "login_name" field will have multivalues and you a "... | where mvcount(login_name) > 1 " command to see only events involving multiple login names from the same IP. Alternatively, you could us a "... | stats values(login_name) by IP" to get a tabular output of all the login_names associated with each IP.

View solution in original post

0 Karma

rtadams89
Contributor

I can think of a few ways to do this depending on what your data looks like and what you plan to do with the results. You could use the "transaction" command to merge events from the same IP. After that, the "login_name" field will have multivalues and you a "... | where mvcount(login_name) > 1 " command to see only events involving multiple login names from the same IP. Alternatively, you could us a "... | stats values(login_name) by IP" to get a tabular output of all the login_names associated with each IP.

0 Karma

rtadams89
Contributor

I'm assuming you are trying to find IPs attempting to bruteforce their way into your system. If so, you might want to use "... | stats dc(login_name) by IP | where dc(login_name)>5". This will give you a table of all the IPs that have tried more than 5 login names.

0 Karma

samsingnok
Engager

what should i write if i need to put a time interval of within 30 mins? like ex: bucket span=30m _time(is this correct?)

0 Karma

MattQ
Explorer

Thank you. This works. I knew there was a way, just not creative enough to get there

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...