- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: "Brute Force Access Behavior Detected" from Mi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Brute Force Access Behavior Detected" from Microsoft domain controllers
Seeing lots of "Brute Force Access Behavior Detected" notable events coming from Microsoft domain controllers. The correlation search triggers when successful authentication >0 and failures_by_src_count_1h is above medium. The source is domain controllers which handle authentication requests from thousands of users. Any recommendations on safely tuning this correlation search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't want to see brute force from DC as this is of no use but instead from actual users, I am stuck at place where this extreme search is defined in the rule "xswhere failure from failures_by_src_count_1h in authentication is above medium"
I want to replace this failures_by_src_count_1h from failures_by_user_count_1h but don't have an idea how to change this. Any help in this would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you want to get rid of 'Brute Force' attempts from Microsoft domain controllers or to create notable events only when the conceptual threshold is high or critical?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Herres one for username guessing attacks I put on gosplunk. In particular check the 2nd line.
| bin _time span=5m as minute
Try tweaking the timer as seen in the SPL. If youre analysing if it takes someone less than a minute to guess wrongly 4 times then theyre a terrible brute forcer.
Doing it in 5 minute blocks may help suppress some of those false positives.
https://gosplunk.com/detect-username-guessing-brute-force-attacks/
sourcetype=windows EventCode=4625 OR EventCode=4624
| bin _time span=5m as minute
| rex "Security ID:\s*\w*\s*\w*\s*Account Name:\s*(?<username>.*)\s*Account Domain:"
| stats count(Keywords) as Attempts,
count(eval(match(Keywords,"Audit Failure"))) as Failed,
count(eval(match(Keywords,"Audit Success"))) as Success by minute username
| where Failed>=4
| stats dc(username) as Total by minute
| where Total>5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I downvoted this post because op is asking about tuning a correlation search in es. not creating a brute force rule in core.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
