Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Would my search detect a malicious user, attempting to connect to multiple destinations, but only one failed login to each destination?

jacqu3sy
Path Finder
‎02-27-2017 02:44 AM

Problem with this search?

Would the following search detect a malicious user, trying to connect to multiple destinations using a specific username, but only one failed login to each destination? My understanding is that the count against one specific destination would have to be greater than 5 for this to fire an alert.

| tstats `summariesonly` count from datamodel=Authentication where nodename=Authentication.Failed_Authentication by "Authentication.user","Authentication.dest"  
| rename "Authentication.user" as "user ","Authentication.dest" as "dest" 
| where 'count'>5

Would it however detect an attack against say, 100 destinations, where there was just 1 failed login against each host? Someone trying to brute force a username 'Administratror' for example and fly under the >5 trigger?

Thanks.

0 Karma
Reply

DalJeanis
Legend
‎02-27-2017 07:49 AM

You are correct that it would not detect such an attack. You could set up an additional search (with perhaps a different threshold for triggering) by moving the "by destination" portion of the search, something like this.

 | tstats `summariesonly` count list ("Authentication.dest") as "dest" from datamodel=Authentication where nodename=Authentication.Failed_Authentication by "Authentication.user"
 | rename "Authentication.user" as "user "
 | where 'count'>10
0 Karma
Reply

jacqu3sy
Path Finder
‎02-27-2017 08:20 AM

Thanks for confirming. Much appreciated.

I did try your alternative search but it returned;
Error in 'stats' command: The argument '(Authentication.dest)' is invalid.

I'll play around with it. Thanks again.

0 Karma
Reply

DalJeanis
Legend
‎02-28-2017 10:13 PM

Sure. I wondered about that.

Look up the eventSearch value in the search.log for your original tstats search, and see what splunk substituted for "Authentication.dest" . Use that same underlying data model item in the "list() as dest" clause.

0 Karma
Reply
Get Updates on the Splunk Community!

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...