Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: "Brute Force Access Behavior Detected" from Mi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Brute Force Access Behavior Detected" from Microsoft domain controllers
Seeing lots of "Brute Force Access Behavior Detected" notable events coming from Microsoft domain controllers. The correlation search triggers when successful authentication >0 and failures_by_src_count_1h is above medium. The source is domain controllers which handle authentication requests from thousands of users. Any recommendations on safely tuning this correlation search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't want to see brute force from DC as this is of no use but instead from actual users, I am stuck at place where this extreme search is defined in the rule "xswhere failure from failures_by_src_count_1h in authentication is above medium"
I want to replace this failures_by_src_count_1h from failures_by_user_count_1h but don't have an idea how to change this. Any help in this would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you want to get rid of 'Brute Force' attempts from Microsoft domain controllers or to create notable events only when the conceptual threshold is high or critical?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Herres one for username guessing attacks I put on gosplunk. In particular check the 2nd line.
| bin _time span=5m as minute
Try tweaking the timer as seen in the SPL. If youre analysing if it takes someone less than a minute to guess wrongly 4 times then theyre a terrible brute forcer.
Doing it in 5 minute blocks may help suppress some of those false positives.
https://gosplunk.com/detect-username-guessing-brute-force-attacks/
sourcetype=windows EventCode=4625 OR EventCode=4624
| bin _time span=5m as minute
| rex "Security ID:\s*\w*\s*\w*\s*Account Name:\s*(?<username>.*)\s*Account Domain:"
| stats count(Keywords) as Attempts,
count(eval(match(Keywords,"Audit Failure"))) as Failed,
count(eval(match(Keywords,"Audit Success"))) as Success by minute username
| where Failed>=4
| stats dc(username) as Total by minute
| where Total>5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I downvoted this post because op is asking about tuning a correlation search in es. not creating a brute force rule in core.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
