-
5 years, 6 months ago
DaveyBoy wrote a new post
Dashboard with 3 separate columns which allow you to drill into 3 separate assets to find out who was logged on, when they logged on, and how they logged on. Accounts for remote logins, local logins, and […]
-
5 years, 7 months ago
DaveyBoy commented on the post, Detect Username Guessing Brute Force Attacks
In reply to: DaveyBoy wrote a new post The below will detect a form of brute force which most will miss. Whereas other scripts detect multiple logins against a single account, they fail to detect 4 failed logins against 40 […] ViewYou just need to drill into each user independently and finish with a
| stats count by host
or
| stats count by Source_Network_Address
It depends where its failing.
source=”wineventlog:security” EventCode=4625
| rex “Account For Which Logon Failed:s*Security ID:s*(?.*)s*Account Name:s*(?.*)s*Account Domain:s*(?.*)s*Fail”
| stats…[Read more] -
7 years, 1 month ago
DaveyBoy wrote a new post
The below will detect a form of brute force which most will miss. Whereas other scripts detect multiple logins against a single account, they fail to detect 4 failed logins against 40 accounts.
This first […]
-
I like it, but these are the modifications I made to resolve some issues I had and output more information about the accounts involved. Cleans up the time also.
sourcetype=wineventlog EventCode=4625 OR EventCode=4624
| bin _time span=5m as minute
| stats count(Keywords) as Attempts,
count(eval(match(Keywords,”Audit Failure”))) as Failed,
count(eval(match(Keywords,”Audit Success”))) as Success by minute user
| where Failed>=4
|stats values(user) AS userlist dc(user) AS Total BY minute
| where Total>5
| eval minute=strftime(minute,”%m/%d/%y %H:%M:%S”) -
You just need to drill into each user independently and finish with a
| stats count by host
or
| stats count by Source_Network_Address
It depends where its failing.
source=”wineventlog:security” EventCode=4625
| rex “Account For Which Logon Failed:s*Security ID:s*(?.*)s*Account Name:s*(?.*)s*Account Domain:s*(?.*)s*Fail”
| stats count by host accountName
| sort count descThis will tell you which account has failed and the machine it failed on. If it was attempting to connect to a network resource change the stats count to “stats count by Source_Network_Address accountName” and that should give you the offending host.
-
-
7 years, 1 month ago
DaveyBoy wrote a new post
This query will display a bar chart of all successful Internal vs External SSH connections. Useful for identifying any spikes in connectivity coming from within your network remit or outside of it. Simply change […]
-
7 years, 1 month ago
DaveyBoy wrote a new post
This displays a list of failed attempts against each connecting IP. Can be used to detect brute force from a particular source IP. You can then put a block up via ACL or whatever method you chose to mitigate the […]
-
7 years, 1 month ago
DaveyBoy became a registered member
-
7 years, 1 month ago
DaveyBoy became a registered member
Hi, I’m new to splunk… Doesn’t seem to work for me.. not sure what input values i need to place in it?
Armando,
You’ll need to have access to the correct indexes for this, you might need to manually enter the index name if your role doesn’t search all non-internal indexes by default.
Thanks I got it to work now. Cheers!
didnt work for me either, i used index IN (wineventlog, security) source=wineventlog* .
I know this part works, but the dashboard shows no data