Hi, I need to search 2 failed and identical loggin attemps with 2 minutes between each other to know if someone is trying to guess the pass of a domain account.
For example, I want to search for the Event 4776(failed loggin attempt) for the same account but only if is happening between for example 2 minutes.
How can I search this?
Thanks in advance
You can extract that field in the search like this:
... | rex "Nombre de cuenta:\s*(?<account>\w+)" | transaction ...
To make the extraction stick you can put the regular expression into a field extraction through the manager.
Ok, I have been looking and the correct code is ;
EventCode=4625
The Account field doesn't exist, there is a subfield that tracks the username that I want to look for, this is a example of the log;
The yellow part would be the "Account" but I don't know how to track it, and if I use
"EventCode=4625 | transaction ComputerName maxspan=2m | search eventcount>1" trying to track the ComputerName field, It shows all the events, not only events happened in the last 2 minutes.
Assuming you have the fields "EventID" and "Account" (otherwise adjust accordingly):
... EventID=4776 | transaction Account maxspan=2m | search eventcount>1
Ok, I have been looking and the correct code is ;
EventCode=4625
The Account field doesn't exist, there is a subfield that tracks the username that I want to look for, this is a example of the log;
The yellow part would be the "Account" but I don't know how to track it, and if I use
"EventCode=4625 | transaction ComputerName maxspan=2m | search eventcount>1" trying to track the ComputerName field, It shows all the events, not only events happened in the last 2 minutes.
There are several ways, for example:
search for event 4776 | transaction account maxpause=120s
This will group together events for the same user as long as they are no more than two minutes apart. Any result with eventcount>1 is what you're looking for.
Alternatively, you can roll your own pseudo-transactions like this:
search for event 4776 | streamstats current=f window=1 global=f last(_time) as last_time by user | where abs(last_time-_time)<=120
That should run much faster than the transaction, but yields a slightly different result - what's better in your case depends on your environment.