This Splunk search will output a table that will show the count of failed logins by Splunk user.
0 comments
Suppose you have the following fields: fieldA, FieldB, fieldC -- If you search for fieldB!=value3
You will get Results fieldB=value1, fieldB=value2
If fieldB does not exist, nothing is returned.
-----------------------------------------------------
Searching with NOT:
If you search for NOT fieldB=value3, the search returns everything except fieldB=value3:
fieldA=value1, fieldA=value2, fieldA=value3
fieldB=value1, fieldB=value2
fieldC=value1, fieldC=value2, fieldC=value3
If fieldB does not exist, NOT fieldB=value3 returns:
fieldA=value1, fieldA=value2, fieldA=value3
fieldC=value1, fieldC=value2, fieldC=value3
Splunk has a robust search functionality which enables you to search the entire data set that is ingested. This feature is accessed through the app named as Search & Reporting which can be seen in the left side bar after logging in to the web interface.
On clicking on the search & Reporting app, we are presented with a search box, where we can start our search on the log data that we uploaded in the previous chapter.
We type the host name in the format as shown below and click on the search icon present in the right most corner. This gives us the result highlighting the search term.
Combining Search Terms
We can combine the terms used for searching by writing them one after another but putting the user search strings under double quotes.
Using Wild Card
We can use wild cards in our search option combined with the AND/OR operators. In the below search, we get the result where the log file has the terms containing fail, failed, failure, etc., along with the term password in the same line.
Refining Search Results
We can further refine the search result by selecting a string and adding it to the search. In the below example, we click over the string 3351 and select the option Add to Search.
After 3351 is added to the search term, we get the below result which shows only those lines from the log containing 3351 in them. Also mark how the time line of the search result has changed as we have refined the search.
A good place to start.
//static1.squarespace.com/static/552092d5e4b0661088167e5c/t/56b36b4d3c44d86cf33341ca/1454598990...
This is the one I use for failed login events.
index=yourindex sourcetype="WinEventLog:Security" EventCode=4625 |fillnull value=NULL | eval Account_Name = mvindex(Account_Name,1) | eval Security_ID = mvindex(Security_ID,1) | eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials") |stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time |sort + Security_IDIn case you want it, here is successful login events.
index=yourindex sourcetype="WinEventLog:Security" EventCode=4624 |fillnull value=NULL | eval Account_Name = mvindex(Account_Name,1) | eval Security_ID = mvindex(Security_ID,1) | eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials") |stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time |sort + Security_IDIt would help if we knew how the query fails to meet expectations. As a start, I offer this revision that should better meet the stated requirements.
( index = index1 "Failed password") earliest=-24h | eventstats count as Per_User_failures by user | stats latest(_time) as _time, values(host), values(dest_ip), values(src_ip), dc(src_ip) as srcIpCount, list(user), dc(user) as userCount, list(Per_User_failures) as Per_User_failures count as Total_failures by src_ip dest | rename values(*) as * | where Total_failures>10 OR Per_user_Failures>5If the "Failed password" string is in a specific field then that field should be specified to improve search performance.
---
If this reply helps you, Karma would be appreciated.