Deployment Architecture

external account unsuccessful attempts to authenticate to multiple hosts

jshael
New Member

Any help figuring out how to design a query for this would be helpful.

0 Karma

woodcock
Esteemed Legend

something like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND other stuff here
| streamstats time_window=?? count dc(dest) AS dc BY host
| where count>?? AND dc>??
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Install the Splunk Security Essentials app and check out the Brute Force Access Attempt Detected use cases.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.