Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filter "root" logins for Failed and Success outputs in succession

dsmeerkat
Explorer
‎08-14-2017 11:55 AM

Hello my Splunk Ninjas,

Ihave a tough one I am trying to figure out. I have a report that gives me:

index=blah sourcetype=unix action=failure
| lookup approved_server_ips ip as src OUTPUT filter
| search filter=0
| eval Local_1=split(upper(user),"\")

| eval Local_Account_Name=if(isnull(mvindex(Local_1,1)),user,mvindex(Local_1,1))
| rename src as Source_Device_IP, Local_Account_Name as Failed_Account_Name
| stats count by index,Failed_Account_Name,Source_Device_IP,host
| where count>4
| sort by -count
| head $Local_alert_count$

This search runs fine however, I have instances where I will get a failed "root" login immediately followed by a successful login on the same system....

14:30:00 - 192.555.1.1 root Failed
14:30:02 - 192.555.1.1 root Success

I need to be able to eval theses and if I see a system (Source_Device_IP) with a "Failed" attempt immediately followed by a Success, do not report this system, perhaps something along these lines?

| eval alert = if(match(list, "(?:failure\s?){1,}(?:success)"), "True", "False")

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-16-2017 03:04 AM

Hi dsmeerkat,
I should try to extract a filed with result of login, the add this field to starts and then use this field to filter, something like this:

index=blah sourcetype=unix action=failure 
| lookup approved_server_ips ip as src OUTPUT filter 
| search filter=0 
| eval Local_1=split(upper(user),"\\") 
| eval Local_Account_Name=if(isnull(mvindex(Local_1,1)),user,mvindex(Local_1,1)) 
| rename src as Source_Device_IP, Local_Account_Name as Failed_Account_Name 
| rex "(?<Result>Failed|Success)"
| stats values(Result) AS Result count by index,Failed_Account_Name,Source_Device_IP,host 
| where count>4 
| sort by -count 
| search Result=Failed Result=Success
| head $Local_alert_count$

(verify regex).
Bye.
Giuseppe

0 Karma
Reply

dsmeerkat
Explorer
‎08-15-2017 08:36 AM

Or better yet an eval against epochtime may be better

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...