Splunk Enterprise Security

How to make a report of unsuccessful connection attempts

mariorodriguez
Engager

Hello
I'm new to this community and my first question is this: How to make a report of unsuccessful connection attempts? I have tried to find some querie for my question but I have not been successful. As data is the first time I'm handling the splunk

I would appreciate your help

regards

0 Karma

DalJeanis
Legend

Okay, you are going to have to figure out what a logon looks like, and what an unsuccessful logon looks like, on your system. If you don't have a senior person who already has some queries for you to start with, then what you do is this -

1) Log off your system
2) Log onto your system but INTENTIONALLY type the wrong password the first time.

3) Log onto your system
4) Immediately log onto splunk, go to your search within about 3 minutes and search for

  index=* earliest=-3m@m  "<myuserid>"

where <myuserid> is your user id. Do not put the angle brackets, just your userid.

That should return you a few records that show you logging off, failing to log on, and logging on - one of each. You now know what the records look like, and what index they are in, and what fields are already available on them..

Now, with all the different operating systems and device types and security software there is out there, there are literally dozens of ways a person can log on, and probably hundreds of way that the records might look. The connection records for a VPN look different than logons via Windows XP, or Windows 8, or via PAM, or via su or sudo or ssh or any number of other ones. So, really, you need to find out internally which ones you are supposed to be looking for, and in what indexes.

When you find out more specifics, then you can search site:answers.splunk.com for those key words to find sample queries.

Here's one answer that's relevant:

https://answers.splunk.com/answers/527671/how-to-generate-a-search-to-find-the-wrong-user-lo.html

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Can you give more details? What do you mean with unsuccessful connection attempts?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...