All Apps and Add-ons

Can the Splunk Machine Learning Toolkit be used to help identify a cluster of failed logins on Windows and Unix servers?

jeremybe
New Member

Can the Splunk Machine Learning Toolkit be utilized to help identify a cluster of failed logins on Windows and Unix Servers? I'm trying to find a use case to help demonstrate the capabilities in an IT Security/Analytics context and this is all very new to me.

Thanks

0 Karma

aoliner_splunk
Splunk Employee
Splunk Employee

You can do both without the Splunk Machine Learning Toolkit, though you may find the Toolkit's Detect Numeric Outliers assistant helpful.

Start by identifying the failed logins. This is specific to your environment and there are many examples online:
http://gosplunk.com/repeated-unsuccessful-logon-attempts-in-linux/

I'll assume you've gotten to the point where you have the following fields: _time, host, username. If you want to use the Toolkit, you can send that through timechart to aggregate by some span (say, every 5 minutes) and bring that data into the Detect Numeric Outliers assistant:

... | table _time, host, username | timechart span=5m count 

Then, simply look for outliers in the number of failed logins. If you want to do this per host or per user, add that field in the split-by field in the assistant and you're done!

As for login attempts in rapid succession, a short span will detect that, or you could use streamstats to compute the time between login attempts and look for outliers there.

aoliner_splunk
Splunk Employee
Splunk Employee

Could you please elaborate on what you mean by a 'cluster'? Do you mean sets of systems that had failed logins around the same time? Do you mean sets of login attempts (on any system) that happened in rapid succession? Do you mean failed logins (on any system, at any time) that had similar characteristics? Etc.

0 Karma

jeremybe
New Member

Sorry! Actually, the first two scenarios you had mentioned - Both failed logins around the same time and login attempts on any systems that happened in rapid succession.

Thank you for your help!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...