Re: Question regarding brute force query

rahul_mckc_splu · ‎05-14-2018

Please see this query for brute force detection-
index="wineventlog" sourcetype=wineventlog:security | search (EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR EventCode=4768 OR EventCode=4769 OR EventCode=4771 OR EventCode=4776) | stats dc(action) as Attempts, count(eval(match(action,"failure"))) as Failed, count(eval(match(action,"success"))) as Success values(src) as src by user dest |where Attempts>1 AND Failed>10 AND Success>0.....
So now whats happening i am getting results for failed>10 and success>0 but there could be scenario where 1st event would be success followed by 10 failures thats also coming but we dont want that .....its not brute force attack ....how i can accomplish first 10 events of failed followed by 11th event of success.

DalJeanis · ‎05-14-2018

Here's one way -

index="wineventlog" sourcetype=wineventlog:security
(EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR 
 EventCode=4768 OR EventCode=4769 OR EventCode=4771 OR 
 EventCode=4776) 
| stats dc(action) as Attempts, 
        count(eval(match(action,"failure"))) as Failed, 
        count(eval(match(action,"success"))) as Success 
        max(eval(case(match(action,"failure"),_time))) as lastFailed
        max(eval(case(match(action,"success"),_time))) as lastSuccess
        values(src) as src by user dest 
| where Attempts>1 AND Failed>10 AND Success>0
| where lastFailed < lastSuccess

This would work for what you asked for, but I'm not sure it really meets the business need.

Think about it this way - your actual employee or client could be trying to use his account as well during any given time frame, so a success that is unrelated to the brute force attack could be coincidentally in the time frame of your search.

It seems like, if there are ten failures, THEN you need to analyze the successes in light of the failures. Let me see if I can put something like that together.

Okay, this version is going to give you much closer to what you need.

index="wineventlog" sourcetype=wineventlog:security
(EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR 
 EventCode=4768 OR EventCode=4769 OR EventCode=4771 OR 
 EventCode=4776) 
| eventstats count(eval(match(action,"failure"))) as Failed, 
        count(eval(match(action,"success"))) as Success 
        by user dest 
| where Failed >= 10  AND Success > 0
| rename COMMENT as "The above gets rid of all events that are obviously not matches"


| rename COMMENT as "Sort into order, then add up strings of failures or successes"
| sort 0 user dest _time 
| streamstats reset_on_change=t count as UDcount by user dest action

| rename COMMENT as "Copy the prior record info, then test for a success after 10+ failures"
| streamstats current=f last(UDcount) as prevUDcount last(action) as prevAction by user dest
| eval KeepMe=case(action="success" AND prevAction="failure" AND prevUDcount >=10,"KeepMe")

| eventstats max(KeepMe) as KeepAll by user dest
| where KeepAll="KeepMe"

At this point, you have all events for any suspicious combo of user and dest retained together. The one success after a long row of failures will be marked with KeepMe="KeepMe", and the rest will be marked with KeepAll="KeepMe".

rahul_mckc_splu · ‎05-14-2018

where lastFailed < lastSuccess is giving all failed followed by success ....(it is going wrong here)--if i have 100 success then i have 10 failures then again i have 100 success so this condition for where lastFailed < lastSuccess is true...

I mean i should be true only when we first have failures followed by success not.... success then failures then again success...

rahul_mckc_splu · ‎05-15-2018

please do the needful

Question regarding brute force query

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?