https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-find-the-source-of-excessive-failed-logins-bruteforce/m-p/308691#M2794 <P>We see there are 40,000 failed login attempts to a DC on our network but are unable to verify the source (IP) using Splunk. Assuming we are collecting all the necessary data, what should we search for to find the culprit?</P> <P>We have ES and the indicators are consistent with a brute force attack.</P> <P>Here is what we run to find those results.</P> <PRE><CODE>| from datamodel:"Authentication"."Failed_Authentication" | search src="companydomain.com" | stats count by user | sort - count </CODE></PRE> Thu, 22 Feb 2018 17:04:13 GMT iKickFish 2018-02-22T17:04:13Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-find-the-source-of-excessive-failed-logins-bruteforce/m-p/308691#M2794 <P>We see there are 40,000 failed login attempts to a DC on our network but are unable to verify the source (IP) using Splunk. Assuming we are collecting all the necessary data, what should we search for to find the culprit?</P> <P>We have ES and the indicators are consistent with a brute force attack.</P> <P>Here is what we run to find those results.</P> <PRE><CODE>| from datamodel:"Authentication"."Failed_Authentication" | search src="companydomain.com" | stats count by user | sort - count </CODE></PRE> Thu, 22 Feb 2018 17:04:13 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-find-the-source-of-excessive-failed-logins-bruteforce/m-p/308691#M2794 iKickFish 2018-02-22T17:04:13Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-find-the-source-of-excessive-failed-logins-bruteforce/m-p/308692#M2795 <P>use iplocation commmand </P> Thu, 22 Feb 2018 18:46:07 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-find-the-source-of-excessive-failed-logins-bruteforce/m-p/308692#M2795 sushantmhatre 2018-02-22T18:46:07Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-find-the-source-of-excessive-failed-logins-bruteforce/m-p/308693#M2796 <P>Depending on authentication load, and given this is a DC, this could be normal, it depends.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4434iA6686CE1213F8506/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>You could try selecting this link from your notable-event (which you might have already). Ensure your assets.csv correctly reflects reality, with both IPs and DNS/Hostnames, should make your ES experience better.</P> <P>Otherwise you could remove "| search src="companydomain.com" from the search and look at everything that is failing authentication to deduce what's happening.</P> <P>Cheers.</P> Fri, 23 Feb 2018 05:15:31 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-find-the-source-of-excessive-failed-logins-bruteforce/m-p/308693#M2796 Splunker 2018-02-23T05:15:31Z