We see there are 40,000 failed login attempts to a DC on our network but are unable to verify the source (IP) using Splunk. Assuming we are collecting all the necessary data, what should we search for to find the culprit?
We have ES and the indicators are consistent with a brute force attack.
Here is what we run to find those results.
| from datamodel:"Authentication"."Failed_Authentication" | search src="companydomain.com" | stats count by user | sort - count
Depending on authentication load, and given this is a DC, this could be normal, it depends.
You could try selecting this link from your notable-event (which you might have already). Ensure your assets.csv correctly reflects reality, with both IPs and DNS/Hostnames, should make your ES experience better.
Otherwise you could remove "| search src="companydomain.com" from the search and look at everything that is failing authentication to deduce what's happening.