Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

The issue is that we have so many windows authentication failures after creating Authentication Data model

ngwodo
Path Finder
‎10-12-2021 12:42 PM

I created an Authentication data model that has default, Insecure, and Priviledge Authentication Data model. It also uses action=success and action=failures.  Please see screenshot below:

ngwodo_0-1634067370327.png

 

I can see the data coming in from different sources but the issue is  that we have so many windows authentication failures. Please how can I fix this configurations issues? Has anybody come across such issues?

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2021 06:13 AM

Are you sure this is a Splunk issue?  Is it possible Splunk has just pointed out a problem that already exists in your company?

If you built the datamodel yourself, double-check the logic.  

To properly diagnose authentication failures, we need to see the constraint for the Failed Authentication dataset.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ngwodo
Path Finder
‎10-13-2021 02:38 PM

The constraints for the Failed Authenication Data model is:

(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$) NOT "pam_unix(sshd:auth): authentication failure;"
action="failure"

 

ngwodo_0-1634160947562.png

 

I have another question. How can I review the event codes that are failing for windows authentication failures?

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2021 02:49 PM

I'm confused.  The Failed Authentication dataset inherits a condition ('NOT "pam_unix(sshd:auth): authentication failure;"') that is not shown in the screenshot of the parent data set in the OP.

I don't understand the new question, either, but new questions usually warrant new postings.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ngwodo
Path Finder
‎10-13-2021 03:17 PM

Pardon me. The parent screenshot I shared before was the wrong one. Below is actually the screenshot of the parent dataset:

ngwodo_0-1634163448535.png

 

Please let me know.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2021 05:08 PM

Take the constraint from the dataset and run it in a search window.  Verify the results are as expected.  Modify the query as necessary to get the desired results then update the datamodel.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...