Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me create a search for failed logons?

johann2017
Explorer
‎02-18-2019 10:12 AM

How would I write a search to look for failed logons coming from the same account happening across different systems? For example, an administrator account named Bob failed to log on to 10 different computers in under a 5 minute time span. He only attempted to log on 1 time to each of the 10 computers but failed each time.

Also, is there a Splunk forum created specifically for security related searches and ideas similar to this?

0 Karma
Reply

woodcock
Esteemed Legend
‎02-18-2019 09:06 PM

Like this:

 | tstats summariesonly=t count values(dest) AS destCount
 FROM datamodel=Authentication 
 WHERE index=* AND nodename=Authentication.Failed_Authentication
 BY Authentication.src_user
 | where destCount >= 2
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-18-2019 11:30 AM

Hi @johann2017

Splunk Security Essentials is an amazing (free!) addon that has tons of searches like this. Get it from here: https://splunkbase.splunk.com/app/3435/

Now to address your specific question. Typically you just run a search that looks for all authentication events, regardless of system. You can do this like so: search tag=authentication this is because most official addons will be set to tag authentication events appropriately.

If you want to get more advanced, you should consider using the Splunk CIM and you can use the Authentication accelerated data model for more efficient searches.

Hope this helps

0 Karma
Reply

johann2017
Explorer
‎02-18-2019 04:13 PM

Thanks Chris, I upgraded my Security Essentials app I will try that out. I was trying with this search index=wineventlog sourcetype="XmlWinEventLog:Security" EventID=4771 (user!="*$" AND user!="Guest" |
timechart count as Failed_Logon_Attempts values(host) as host values(Failure_Reason) as Failure_Reason values(user) as user by Source_Workstation | eval threshold=200

However it does not seem to be working properly. The threshold does not seem to work

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-18-2019 04:26 PM

Maybe you need to do something more like this:

index=wineventlog sourcetype="XmlWinEventLog:Security" EventID=4771 (user!="*$" AND user!="Guest" |
timechart count as Failed_Logon_Attempts by Source_Workstation | eval threshold = 200

or something like this

index=wineventlog sourcetype="XmlWinEventLog:Security" EventID=4771 (user!="*$" AND user!="Guest" |stats count as Failed_Logon_Attempts values(host) as host values(Failure_Reason) as Failure_Reason values(user) as user by Source_Workstation | search Failed_Logon_Attempts > 200

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...