Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you use Splunk Enterprise Security to prevent password spraying and guessing?

sahiltcs
Path Finder
‎01-30-2019 03:41 AM

Hello,

I am looking for a query based on my below scenario use case :
user passwords shall comply with minimum complexity requirements. These requirements only partially protect from the risk that weak passwords are used and exploited. Several databases of commonly used password exist and contain passwords that are compliant with DB password complexity policy. An attacker may test a large number of user accounts to find a user that has adopted a common password. This attack is known under the name of password spraying. Due to the large number of users and passwords to be tested, the attack must be automated with scripts that repeatedly test one password on multiple accounts. This monitoring use case should be implemented to enhance protection against weak passwords.

The detection rule shall be based on the following filter criteria:
•Select events with Log Event ID 4771 - Kerberos pre-authentication failed (all these events refer to a failed log in attempt)

•Remove duplicates: Filter out all events where the client address belongs to one of the DB Domain Controller servers (list of DC servers required!!)

•Count the number of failed logins per day per client address

•Count the number of subject account names per client address.

•Raise an alert for when a given client addresses both counts exceeding the defined thresholds X and Y

Sensible thresholds should be defined while testing the use case, an initial suggestion is:

X = 100 -> More than 100 failed log in per day

Y = 80 -> Failed logins correspond to a minimum of 80 different subject account name

0 Karma
Reply

woodcock
Esteemed Legend
‎01-30-2019 07:19 AM

Like this:

index=win* EventCode="4771" AND NOT [|inputlookup DomainControllers.csv | table host]
| dedup Your Duplication Fields Listed Here
| bin _time span=1d
| stats values(user) dc(user) AS num_users count span=1d BY dest _time
| search count>X AND num_users>Y
Reply

sahiltcs
Path Finder
‎02-01-2019 01:50 AM

We don't have domain controllers.csv file uploaded But can we use this query and get the result which we are looking in above question?

0 Karma
Reply

mpasha
Path Finder
‎03-27-2019 11:13 AM

Mr. Woodcock,
Thanks for the solution. it is simple and working like a charm !!!!!

0 Karma
Reply

woodcock
Esteemed Legend
‎02-01-2019 11:00 AM

Yes, but it will obviously include DCs, too. Just remove the AND NOT ... part.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-30-2019 04:43 AM

I believe the Splunk Security Essentials app (https://splunkbase.splunk.com/app/3435/) has a similar use case.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sahiltcs
Path Finder
‎01-31-2019 03:23 AM

Is there use cases for failed login, brute force attacks are in Splunk security essentials Where prebuild query is there and we can set up thresholds and send alerts ?

Thanks,
Sahil

0 Karma
Reply

ssadh_splunk
Splunk Employee
Splunk Employee
‎03-14-2019 12:00 AM

You can download the app from Splunkbase. It has 400+ Use Cases with prebuilt SPL queries & data onboarding guides and lots of other information around how to implement these Use Cases. A must have app in your repository.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...