Splunk Enterprise Security

How to find the source of excessive failed logins (bruteforce)?

iKickFish
Explorer

We see there are 40,000 failed login attempts to a DC on our network but are unable to verify the source (IP) using Splunk. Assuming we are collecting all the necessary data, what should we search for to find the culprit?

We have ES and the indicators are consistent with a brute force attack.

Here is what we run to find those results.

| from datamodel:"Authentication"."Failed_Authentication" | search src="companydomain.com" | stats count by user | sort - count
0 Karma

Splunker
Communicator

Depending on authentication load, and given this is a DC, this could be normal, it depends.

alt text

You could try selecting this link from your notable-event (which you might have already). Ensure your assets.csv correctly reflects reality, with both IPs and DNS/Hostnames, should make your ES experience better.

Otherwise you could remove "| search src="companydomain.com" from the search and look at everything that is failing authentication to deduce what's happening.

Cheers.

0 Karma

sushantmhatre
Explorer

use iplocation commmand

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...