I created an Authentication data model that has default, Insecure, and Priviledge Authentication Data model. It also uses action=success and action=failures. Please see screenshot below:
I can see the data coming in from different sources but the issue is that we have so many windows authentication failures. Please how can I fix this configurations issues? Has anybody come across such issues?
Are you sure this is a Splunk issue? Is it possible Splunk has just pointed out a problem that already exists in your company?
If you built the datamodel yourself, double-check the logic.
To properly diagnose authentication failures, we need to see the constraint for the Failed Authentication dataset.
The constraints for the Failed Authenication Data model is:
I have another question. How can I review the event codes that are failing for windows authentication failures?
I'm confused. The Failed Authentication dataset inherits a condition ('NOT "pam_unix(sshd:auth): authentication failure;"') that is not shown in the screenshot of the parent data set in the OP.
I don't understand the new question, either, but new questions usually warrant new postings.
Pardon me. The parent screenshot I shared before was the wrong one. Below is actually the screenshot of the parent dataset:
Please let me know.
Take the constraint from the dataset and run it in a search window. Verify the results are as expected. Modify the query as necessary to get the desired results then update the datamodel.