Brute Force Attack false alert

MalcolmC — Mon, 13 Nov 2023 22:26:30 GMT

we had a vendor setup a Splunk instance for us a while ago and one of the things they did was setup a Brute Force attack alert using the following search,
| tstats summariesonly=t allow_old_summaries=t count from datamodel=Authentication by Authentication.action, Authentication.src
| rename Authentication.src as source, Authentication.action as action
| chart last(count) over source by action
| where success>0 and failure>20
| sort -failure
| rename failure as failures
| fields - success, unknown
Now this seems to work OK as I'm getting regular alerts, but these alerts contain little if any detail. Sometimes they contain a server name, so I've checked that server. I can see some failed login attempts on that server, but again, not detail. No account details, not IPs, no servers names.
It may be some sort of scheduled task as i get an alert from Splunk every hour and every time it has about the same number of Brute Force attacks (24). But I can't see any scheduled tasks that may cause this.

Does anyone have any suggestions on how to track down what is causing these false alerts ?

Re: Brute Force Attack false alert

bowesmana — Mon, 13 Nov 2023 22:46:46 GMT

Change the search to add in to the user and destination so it's captured, e.g.

| tstats summariesonly=t allow_old_summaries=t count values(Authentication.dest) as dest values(Authentication.user) as user from datamodel=Authentication by Authentication.action, Authentication.src | rename Authentication.* as * | chart last(count) values(dest) as dests values(user) as users over src by action

i.e. change the first 3 lines to add in the values - not also the wildcard rename

You can add more fields from the Authentication datamodel if you need more information

topic Re: Brute Force Attack false alert in Splunk Search

Brute Force Attack false alert

Re: Brute Force Attack false alert