Security

Baseline and query for Anomalous Invalid Login Attempts

suvamondal
New Member

I am working on Anomalous Invalid Login Attempts where I need to do multiple login from a same user from different sites in 30 mins time span, so the below query I implemented

sourcetype=msad-successful-user-logons OR (EventCode=540 OR EventCode=4624)
NOT (user=$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown)
| lookup ADSitesAndSubnets name as src_ip OUTPUT description as SiteName name as Subnet
| search NOT (SiteName=KDC OR SiteName=NDC) )### both are same region so not require
| lookup ComputerIPAddressTemporal ip AS src_ip OUTPUT computer AS ComputerName
| stats first(_time) as LastEventTime last(_time) as FirstEventTime by user src_ip SiteName ComputerName
| eval LogonData = ComputerName . "|" . SiteName . "|" . src_ip . "|" . strftime(FirstEventTime, "%H:%M:%S") . "|" . strftime(LastEventTime, "%H:%M:%S")
| stats dc(SiteName) as Number_Sites values(LogonData) as LogonData by user | where Number_Sites >= 2
| mvexpand LogonData

| rex field=LogonData "^(?<ComputerName>[^|]+)|(?<SiteName>[^|]+)|(?<src_ip>[^|]+)|(?<FirstEventTime>[^|]+)|(?<LastEventTime>[^|]+)$"

| ldapfilter domain=NEXEOSOLUTIONS search="(sAMAccountName=$user$)" attrs="distinguishedName"

| search distinguishedName="*OU=Nexeo Sync
"

| sort user SiteName ComputerName
| table user SiteName ComputerName src_ip FirstEventTime LastEventTime

Now my requirement is to define more baseline for “Anomalous Invalid Login Attempts”.
My question is what could be the possible baselines in this scenario and what will be query for that.

Tags (1)
0 Karma

hagjos43
Contributor

Defining a baseline can be tricky as each system and environment is different. You might need to build a dashboard with multiple panels (queries) to give you a broad idea of average behavior over time. I see you're in a windows environment, I'll suggest taking a look at a few known working Windows queries here: http://gosplunk.com/category/wineventlogsecurity/ You can probably find a few queries to throw together in a dashboard, as well as use and abuse the queries to come up with something that'll suit your needs.

In addition, I'd use statistical functions such as average, median, standard deviation (etc, etc) over a proper period of time (week / month, weekend vs weekday) to properly determine behavior and baselines.

My $.02 at least 🙂

0 Karma

jsven7
Communicator

Are you trying to get a report? Can you provide some sample data and the conditions that represent "Anomalous Invalid Login Attempts"?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...