Skip to main content
Splunk Lantern

Multiple account login denials followed by authorization

You might want to alert on accounts that have multiple login denials in a row followed by an authorization when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Brute force password attacks are a concern in your financial services organization. In order to help protect your users, you want to report hourly on accounts that have multiple login denials followed by an authorization, which might indicate cracked credentials.

To optimize the search shown below, you should specify an index and a time range. 

  1. Run the following search:|inputlookup <name of lookup file for wire transfer information>
    |convert timeformat="%Y/%m/%d %H:%M:%S" ctime(epoch) AS c_time
    |sort - _time
    |streamstats time_window=1h count(eval(action="denied")) AS denied_count count(eval(action="authorized")) AS "authorized_count" latest(action) AS latest_action BY customer,FromAccount,ToAccount
    |where denied_count>=5 and authorized_count>=1 and latest_action="authorized"
    |table _time, customer, FromAccount, ToAccount, amount, denied_count, authorized_count
    |eval amount=tostring(round(amount, 2),"commas")

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|inputlookup <name of lookup file for wire transfer information> Search the data in your wire transfer information lookup file.
|convert timeformat="%Y/%m/%d %H:%M:%S" ctime(epoch) AS c_time
 
Convert the time value in your lookup file to the specified format and name the converted time field c_time.
|sort - _time Sort the results with the most recently occurring first.
|streamstats time_window=1h count(eval(action="denied")) AS denied_count count(eval(action="authorized")) AS "authorized_count" latest(action) AS latest_action BY customer,FromAccount,ToAccount Find in a 1 hour window at least 5 denies and one authorization for the same customer, from, and to account.
|where denied_count>=5 and authorized_count>=1 and latest_action="authorized" Return results where there are at least 5 denies, at least 1 authorized, and the latest action is authorized.
|table _time, customer, FromAccount, ToAccount, amount, denied_count, authorized_count Display the results in a table with columns in the order shown.
|eval amount=tostring(round(amount, 2),"commas") Round the amount value to two decimals places and add commas for better readability.

Result

Run this report every hour to find suspicious users, who may have cracked credentials. Investigate customers this search identifies according to your institutions standard operating procedures and regulations.