Deployment Architecture

external account unsuccessful attempts to authenticate to multiple hosts

jshael
New Member

Any help figuring out how to design a query for this would be helpful.

0 Karma

woodcock
Esteemed Legend

something like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND other stuff here
| streamstats time_window=?? count dc(dest) AS dc BY host
| where count>?? AND dc>??
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Install the Splunk Security Essentials app and check out the Brute Force Access Attempt Detected use cases.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...