topic Re: How to write a query to detect Brute-force attack from Linux machines and ForgeRock authentication in Splunk Enterprise https://community.splunk.com/t5/Splunk-Enterprise/How-to-write-a-query-to-detect-Brute-force-attack-from-Linux/m-p/510184#M2731 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/185959">@phanichintha</a>,</P><P>as you did for Windows (<STRONG>index="main" (EventCode=4624 OR EventCode=4625) Account_Name="*" NOT Account_Name="-")</STRONG>, you have to find an eventtype for Linux and ForgeRock.</P><P>For Linux, you could use these eventtypes:</P><LI-CODE lang="markup">[Linux_Audit] search = index=os sourcetype=linux_secure NOT disconnect [Linux_Logfail] search = eventtype=Linux_Audit "failed password" [Linux_Login] search = eventtype=Linux_Audit "accepted password" [Linux_Logout] search = eventtype=Linux_Audit "session closed"</LI-CODE><P>For ForgeRock I cannot help you because I don't know it, but you can follow my approach.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 21 Jul 2020 08:51:00 GMT gcusello 2020-07-21T08:51:00Z How to write a query to detect Brute-force attack from Linux machines and ForgeRock authentication https://community.splunk.com/t5/Splunk-Enterprise/How-to-write-a-query-to-detect-Brute-force-attack-from-Linux/m-p/510169#M2729 <P>Hello,</P><P>I wrote a query for windows AD to&nbsp;detect Brute-force attack<BR /><STRONG>index="main" (EventCode=4624 OR EventCode=4625) Account_Name="*" NOT Account_Name="-"</STRONG><BR /><STRONG>| stats count(Keywords) as Attempts, count(eval(match(Keywords,"Audit Failure"))) as Failed,</STRONG><BR /><STRONG>count(eval(match(Keywords,"Audit Success"))) as Success</STRONG><BR /><STRONG>earliest(_time) as FirstAttempt latest(_time) as LatestAttempt by Account_Name</STRONG><BR /><STRONG>| where Attempts&gt;=5 AND Failed&gt;=5 AND Success&gt;0</STRONG><BR /><STRONG>| eval FirstAttempt=strftime(FirstAttempt,"%x %X") </STRONG><BR /><STRONG>| eval LatestAttempt=strftime(LatestAttempt,"%x %X")</STRONG></P><P>&nbsp;</P><P>So same like this can anyone share the exact query for two scenarios.<BR />1. Linux machines<BR />2. ForgeRock authentication</P> Tue, 21 Jul 2020 06:29:34 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-write-a-query-to-detect-Brute-force-attack-from-Linux/m-p/510169#M2729 phanichintha 2020-07-21T06:29:34Z Re: How to write a query to detect Brute-force attack from Linux machines and ForgeRock authentication https://community.splunk.com/t5/Splunk-Enterprise/How-to-write-a-query-to-detect-Brute-force-attack-from-Linux/m-p/510184#M2731 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/185959">@phanichintha</a>,</P><P>as you did for Windows (<STRONG>index="main" (EventCode=4624 OR EventCode=4625) Account_Name="*" NOT Account_Name="-")</STRONG>, you have to find an eventtype for Linux and ForgeRock.</P><P>For Linux, you could use these eventtypes:</P><LI-CODE lang="markup">[Linux_Audit] search = index=os sourcetype=linux_secure NOT disconnect [Linux_Logfail] search = eventtype=Linux_Audit "failed password" [Linux_Login] search = eventtype=Linux_Audit "accepted password" [Linux_Logout] search = eventtype=Linux_Audit "session closed"</LI-CODE><P>For ForgeRock I cannot help you because I don't know it, but you can follow my approach.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 21 Jul 2020 08:51:00 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-write-a-query-to-detect-Brute-force-attack-from-Linux/m-p/510184#M2731 gcusello 2020-07-21T08:51:00Z