Skip to main content
Sumo Logic

Lab 3 - Top 10 Number of Failed Login Attempts

Create query templates so your team doesn't need to understand query languages to use your threat intel.

Screen Shot 2020-08-05 at 4.37.35 PM.pngOften times you want to detect users who fail to login to their account.  The user could have forgotten their password or someone could be attempting to hack into your network. 

Screen Shot 2020-08-05 at 4.35.46 PM.png

In this lab you will be filtering the incoming logs to observe the Top 10 login failures. You will learn how to aggregate data over time and filter on specific user activity.  For this you will use the timeslice  and top operators.

Lab Activity

Scope and parse

  1. To create a query to produce the Top 10 Failed Logins, click +New and select Log Search and set the timeframe for the Last 24 Hours period.   

  2. Set your _sourceCategory to the AWS CloudTrail source.

_sourceCategory=Labs/AWS/CloudTrail

  1. For this query we are going to need to extract the following five JSON fields.  You query now look like this:

_sourceCategory=Labs/AWS/CloudTrail
| json field=_raw "userIdentity.userName" as actor
| json field=_raw "eventType" as event_type
| json field=_raw "sourceIPAddress" as src_ip
| json field=_raw "responseElements.ConsoleLogin" as result
| json field=_raw "eventName" as event_name

  1. Run the query and observe the parsing occurring in the field browser and field window.

    Screen Shot 2020-08-05 at 5.22.54 PM.png

Create the parameters and filter

  1. Similar to the last lab, you can create a parameter for event_type and actor, at the bottom of the query add the below two where filters with variables. The parameter window will appear. 

| where event_type matches {{event_type}}
| where actor matches {{actor}}

  1. In the parameter window, type an asterisk * in each field. This will provide the wildcard as a default for each parameter's value.

Screen Shot 2020-07-29 at 1.55.10 PM.png

  1.  To view only those results where actor and event_type are not empty and only contain console logins, at the bottom add the below four where filters. We make sure that actor and event_type are not empty values. Then we filter on only the logs results that produced failures and event_types that are console sign in's.

    | where !isEmpty(actor)
    | where !isEmpty(event_type)
    | where result = "Failure"

    | where event_type = "AwsConsoleSignIn"

Aggregate data over time 

  1. To analyze data over time, you can apply timeslice to group our incoming log data into 1 hour quantities.   Then aggregate the data by using count . You can add a filter to only allow a count greater than 10 and then use the top command to get the highest 10 results.

    | timeslice 1h
    | count by _timeslice,actor,event_type,event_name,result
    | top 10 actor by _timeslice,event_type,result,_count

  2. The entire query should should look like this:

    _sourceCategory=Labs/AWS/CloudTrail
    | json field=_raw "userIdentity.userName" as actor
    | json field=_raw "eventType" as event_type
    | json field=_raw "sourceIPAddress" as src_ip
    | json field=_raw "responseElements.ConsoleLogin" as result
    | json field=_raw "eventName" as event_name
    | where event_type matches {{event_type}}
    | where actor matches {{actor}}
    | where !isEmpty(actor)
    | where !isEmpty(event_type)
    | where result = "Failure"
    |where event_type = "AwsConsoleSignIn"

    | timeslice 1h
    | count by _timeslice,actor,event_type,event_name,result
    | top 10 actor by _timeslice,event_type,result,_count

Pivots for even_type are hardwired, so we need to point out that you could pivot for other things, but you would need to comment out that line. You can pivot to what else that actor(s) had failed logins. What else is that actor doing in the system?  Maybe go to a community post query or just discuss the idea of next steps. (As this query 

  1. Run the query. In the aggregate tab, we are currently looking at the table view. You will see the below results.

Screen Shot 2020-07-29 at 2.13.15 PM.png

Add the panel to the dashboard

  1. Now we have the data we want that we want to add to our existing dashboard.  Let's add this to the dashboard you created to your SOC_<your intials###> dashboard, by clicking Add to Dashboard button in the aggregates tab. Use the following panel name, Top 10 Failed Login Attempts in the popup window.

Screen Shot 2020-07-29 at 2.21.09 PM.png

  1. Since we are adding to an existing dashboard that already has the parameters from the previous lab, this popup appears to confirm you want to merge parameters, click Add Panel.

    Screen Shot 2020-07-29 at 2.21.09 PM.png
     
  2. Now you have created three panels for your starter SOC_<yourinitials###> dashboard. Your dashboard should look like the one below.clipboard_e9bbfdc0ff22bac05ea3256035dee4268.png

 

Quiz (True or False?)

  1. Adding a wildcard in the parameter window means it will filter out everything.
  2. Timeslice groups my incoming logs into chunks of time.
  3. The following code | where !isEmpty(actor) filters out logs that do not have an actor.

Summary

Congratulations! You’ve completed the following tasks:

  1. How to look at user activity.
  2. Filtering on top values.
  3. Analyzing data over time.
  4. Aggregating by count.