Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to detect fail password on Splunk?

cedSplunk2023
Observer
‎08-29-2023 07:06 AM

How to detect fail password on Splunk?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-29-2023 07:36 AM

Hi @cedSplunk2023,

your question is just a little vague!

failed password on which opeating system (windows, Linux, etc...) or application or appliance?

Anyway to answer to this question you don't need a Splunk expert but of someone that knows the target environment.

e.g. to find the failed password on windows, you have to search for EventCode=4625, for Splunk, you have to search "ERROR AuthenticationManagerSplunk - Login failed".

In addition you need to know in which index data are stored, e.g. Splunk logs are in "_internal", winevenlogs are usualli in "wineventlog",

in conclusion to find the failed logins in windows, you have to search:

index=wineventlog EventCode=4625

to find the failed logins in Splunk, you have to search:

index=_internal "ERROR AuthenticationManagerSplunk - Login failed"

Remember that finding something in Splunk depends on the 70% on your knowledge of the target and 30% on your Splunk knowledge.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...