The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde replied to Nikita's discussion Count failures and success via transaction"How are these transactions linked together... by a field called "ID"? If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it. Paste some samples and…"
StatsWow - simple things you can do with "stats" - security scenario
I had someone propose this to me the other day:
I’d like to be alerted if “anyone” fails a login on my boxes more than 20 times in a 24 hour period and be notified of it.
How do we do that in Splunk. Not how you might think, but the search language is very powerful and when used can wields some nasty wounds on the bad guys.
Splunk search logic: Find failed logins with search with “hoursago=24” added to critera. Ask splunk to count the number of failed logins per user. Then ask splunk to filter on any users that have a failed login count of more than 20. The search command looks like this
“failed password hoursago=24 | stats count by user | search count>20” (<----btw, user is an “extracted field” out of those events---easy)
Break it down for me ninja!
"failed password hoursago=24" -- obviously gets the results of a search with failed password in the past 24 hours..
"| stats count by user" -- presents a table with the columns of {username, count}
"| search count>20" -- searches within that table where the count field is greater than 20
Save that search, schedule it to run everyday at midnight. Alert if this search returns more than 0 events. (not more than 0 logins.. But the search, looking for >20 failed logins comes back positive or negative. Oh, and make that alert an email AND an RSS feed....sweet.
I’d like to be alerted if “anyone” fails a login on my boxes more than 20 times in a 24 hour period and be notified of it.
How do we do that in Splunk. Not how you might think, but the search language is very powerful and when used can wields some nasty wounds on the bad guys.
Splunk search logic: Find failed logins with search with “hoursago=24” added to critera. Ask splunk to count the number of failed logins per user. Then ask splunk to filter on any users that have a failed login count of more than 20. The search command looks like this
“failed password hoursago=24 | stats count by user | search count>20” (<----btw, user is an “extracted field” out of those events---easy)
Break it down for me ninja!
"failed password hoursago=24" -- obviously gets the results of a search with failed password in the past 24 hours..
"| stats count by user" -- presents a table with the columns of {username, count}
"| search count>20" -- searches within that table where the count field is greater than 20
Save that search, schedule it to run everyday at midnight. Alert if this search returns more than 0 events. (not more than 0 logins.. But the search, looking for >20 failed logins comes back positive or negative. Oh, and make that alert an email AND an RSS feed....sweet.
Views: 5
© 2012 Created by Michael Wilde.
