Splunk Search

Is my search correctly using the bucket command in order to detect brute force attempts against multiple destinations?

jacqu3sy
Path Finder

I have the following search and I'm not certain it's producing the correct results. The idea is to use it to detect brute force attempts whereby 1 source device attempts to connect to multiple destinations over a 1 second period making use of the Authentication datamodel, specifically for failed logins.

Current search looks as follows;

| tstats `summariesonly` count from datamodel=Authentication where nodename=Authentication.Failed_Authentication  Authentication.app!="win:unknown" by "Authentication.src","Authentication.dest" | rename "Authentication.src" as "Source_Device" | bucket _time span=1s | stats dc("Authentication.dest") as Destination_Device by Source_Device | where Destination_Device > 20

But I'm not certain it's producing results of failed connections over a period of time, say 30 days, or the results were all failed login attempts carried out over a 1 second period as per the use of the bucket _time span=1s statement. The idea is to make the search into an alert to detect brute force attacks against multiple destinations.

Any thoughts?

Many thanks in advance!

1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this

Updated

| tstats summariesonly values("Authentication.dest") as Destination_Device from datamodel=Authentication where nodename=Authentication.Failed_Authentication Authentication.app!="win:unknown" by "Authentication.src" _time span=1s| rename "Authentication.src" as "Source_Device"  | where Destination_Device > 20

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try like this

Updated

| tstats summariesonly values("Authentication.dest") as Destination_Device from datamodel=Authentication where nodename=Authentication.Failed_Authentication Authentication.app!="win:unknown" by "Authentication.src" _time span=1s| rename "Authentication.src" as "Source_Device"  | where Destination_Device > 20

jacqu3sy
Path Finder

so ditch the 'bucket' altogether?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The bucketing is happening as part of tstats command itself (include _time in the by clause and a span at the end of the tstats).

0 Karma

jacqu3sy
Path Finder

Ok that makes sense, slightly confused though, is Dal's ...by Source_Device needed as well? And would this go in an additional | stats search?

Sorry, new to Splunk. Slowly getting there.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

In general, you fetch required events in base search (anything before first pipe) and then you aggregate the results using stats/timechart or any other similar command. Whereas, tstats is a special command which let you do both, fetching and aggregation, in the same command itself. Since you were doing a simple stats, with bucketing based on _time, I was able to bundle that as single tstats command. I would check the results (without where clause) first and then add more aggragation, if required.

0 Karma

jacqu3sy
Path Finder

Awesome. Thanks for your help.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Don't you need

...by Source_Device _time ...

in the final stats command?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Thanks Dal. Yes I do. In fact that gave me an idea to avoid the send stats all together.

0 Karma

jpolcari
Communicator

Have you looked at the events to confirm you have some instances where there were 20 attempts to different machines from the same source host within the same second?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...