Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Baseline and query for Anomalous Invalid Login Attempts

suvamondal
New Member
‎11-30-2015 08:54 AM

I am working on Anomalous Invalid Login Attempts where I need to do multiple login from a same user from different sites in 30 mins time span, so the below query I implemented

sourcetype=msad-successful-user-logons OR (EventCode=540 OR EventCode=4624)
NOT (user=$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown)
| lookup ADSitesAndSubnets name as src_ip OUTPUT description as SiteName name as Subnet
| search NOT (SiteName=KDC OR SiteName=NDC) )### both are same region so not require
| lookup ComputerIPAddressTemporal ip AS src_ip OUTPUT computer AS ComputerName
| stats first(_time) as LastEventTime last(_time) as FirstEventTime by user src_ip SiteName ComputerName
| eval LogonData = ComputerName . "|" . SiteName . "|" . src_ip . "|" . strftime(FirstEventTime, "%H:%M:%S") . "|" . strftime(LastEventTime, "%H:%M:%S")
| stats dc(SiteName) as Number_Sites values(LogonData) as LogonData by user | where Number_Sites >= 2
| mvexpand LogonData

| rex field=LogonData "^(?<ComputerName>[^|]+)|(?<SiteName>[^|]+)|(?<src_ip>[^|]+)|(?<FirstEventTime>[^|]+)|(?<LastEventTime>[^|]+)$"

| ldapfilter domain=NEXEOSOLUTIONS search="(sAMAccountName=$user$)" attrs="distinguishedName"

| search distinguishedName="*OU=Nexeo Sync"

| sort user SiteName ComputerName
| table user SiteName ComputerName src_ip FirstEventTime LastEventTime

Now my requirement is to define more baseline for “Anomalous Invalid Login Attempts”.
My question is what could be the possible baselines in this scenario and what will be query for that.

Tags (1)
0 Karma
Reply

hagjos43
Contributor
‎12-02-2015 04:45 AM

Defining a baseline can be tricky as each system and environment is different. You might need to build a dashboard with multiple panels (queries) to give you a broad idea of average behavior over time. I see you're in a windows environment, I'll suggest taking a look at a few known working Windows queries here: http://gosplunk.com/category/wineventlogsecurity/ You can probably find a few queries to throw together in a dashboard, as well as use and abuse the queries to come up with something that'll suit your needs.

In addition, I'd use statistical functions such as average, median, standard deviation (etc, etc) over a proper period of time (week / month, weekend vs weekday) to properly determine behavior and baselines.

My $.02 at least 🙂

0 Karma
Reply

jsven7
Communicator
‎12-02-2015 04:20 AM

Are you trying to get a report? Can you provide some sample data and the conditions that represent "Anomalous Invalid Login Attempts"?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...