Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Would my search detect a malicious user, attempting to connect to multiple destinations, but only one failed login to each destination?

jacqu3sy
Path Finder
‎02-27-2017 02:44 AM

Problem with this search?

Would the following search detect a malicious user, trying to connect to multiple destinations using a specific username, but only one failed login to each destination? My understanding is that the count against one specific destination would have to be greater than 5 for this to fire an alert.

| tstats `summariesonly` count from datamodel=Authentication where nodename=Authentication.Failed_Authentication by "Authentication.user","Authentication.dest"  
| rename "Authentication.user" as "user ","Authentication.dest" as "dest" 
| where 'count'>5

Would it however detect an attack against say, 100 destinations, where there was just 1 failed login against each host? Someone trying to brute force a username 'Administratror' for example and fly under the >5 trigger?

Thanks.

0 Karma
Reply

DalJeanis
Legend
‎02-27-2017 07:49 AM

You are correct that it would not detect such an attack. You could set up an additional search (with perhaps a different threshold for triggering) by moving the "by destination" portion of the search, something like this.

 | tstats `summariesonly` count list ("Authentication.dest") as "dest" from datamodel=Authentication where nodename=Authentication.Failed_Authentication by "Authentication.user"
 | rename "Authentication.user" as "user "
 | where 'count'>10
0 Karma
Reply

jacqu3sy
Path Finder
‎02-27-2017 08:20 AM

Thanks for confirming. Much appreciated.

I did try your alternative search but it returned;
Error in 'stats' command: The argument '(Authentication.dest)' is invalid.

I'll play around with it. Thanks again.

0 Karma
Reply

DalJeanis
Legend
‎02-28-2017 10:13 PM

Sure. I wondered about that.

Look up the eventSearch value in the search.log for your original tstats search, and see what splunk substituted for "Authentication.dest" . Use that same underlying data model item in the "list() as dest" clause.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...