Deployment Architecture

external account unsuccessful attempts to authenticate to multiple hosts

jshael
New Member

Any help figuring out how to design a query for this would be helpful.

0 Karma

woodcock
Esteemed Legend

something like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND other stuff here
| streamstats time_window=?? count dc(dest) AS dc BY host
| where count>?? AND dc>??
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Install the Splunk Security Essentials app and check out the Brute Force Access Attempt Detected use cases.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...