I am working on Anomalous Invalid Login Attempts where I need to do multiple login from a same user from different sites in 30 mins time span, so the below query I implemented
**sourcetype=msad-successful-user-logons OR (EventCode=540 OR EventCode=4624)
NOT (user=*$ OR user="ANONYMOUS LOGON" OR user=SYSTEM OR user=services OR user=Unknown)
| lookup ADSitesAndSubnets name as src_ip OUTPUT description as SiteName name as Subnet
| search NOT (SiteName=KDC OR SiteName=NDC) )### both are same region so not require
| lookup ComputerIPAddressTemporal ip AS src_ip OUTPUT computer AS ComputerName
| stats first(_time) as LastEventTime last(_time) as FirstEventTime by user src_ip SiteName ComputerName
| eval LogonData = ComputerName . "|" . SiteName . "|" . src_ip . "|" . strftime(FirstEventTime, "%H:%M:%S") . "|" . strftime(LastEventTime, "%H:%M:%S")
| stats dc(SiteName) as Number_Sites values(LogonData) as LogonData by user | where Number_Sites >= 2
| mvexpand LogonData
| rex field=LogonData "^(?<ComputerName>[^|]+)\|(?<SiteName>[^|]+)\|(?<src_ip>[^|]+)\|(?<FirstEventTime>[^|]+)\|(?<LastEventTime>[^|]+)$"
| ldapfilter domain=NEXEOSOLUTIONS search="(sAMAccountName=$user$)" attrs="distinguishedName"
| search distinguishedName="*OU=Nexeo Sync*"
| sort user SiteName ComputerName
| table user SiteName ComputerName src_ip FirstEventTime LastEventTime**
Now my requirement is to define more baseline for “Anomalous Invalid Login Attempts”.
My question is what could be the possible baselines in this scenario and what will be query for that.
↧