Splunk Enterprise Security

How to make a report of unsuccessful connection attempts

mariorodriguez
Engager

Hello
I'm new to this community and my first question is this: How to make a report of unsuccessful connection attempts? I have tried to find some querie for my question but I have not been successful. As data is the first time I'm handling the splunk

I would appreciate your help

regards

0 Karma

DalJeanis
Legend

Okay, you are going to have to figure out what a logon looks like, and what an unsuccessful logon looks like, on your system. If you don't have a senior person who already has some queries for you to start with, then what you do is this -

1) Log off your system
2) Log onto your system but INTENTIONALLY type the wrong password the first time.

3) Log onto your system
4) Immediately log onto splunk, go to your search within about 3 minutes and search for

  index=* earliest=-3m@m  "<myuserid>"

where <myuserid> is your user id. Do not put the angle brackets, just your userid.

That should return you a few records that show you logging off, failing to log on, and logging on - one of each. You now know what the records look like, and what index they are in, and what fields are already available on them..

Now, with all the different operating systems and device types and security software there is out there, there are literally dozens of ways a person can log on, and probably hundreds of way that the records might look. The connection records for a VPN look different than logons via Windows XP, or Windows 8, or via PAM, or via su or sudo or ssh or any number of other ones. So, really, you need to find out internally which ones you are supposed to be looking for, and in what indexes.

When you find out more specifics, then you can search site:answers.splunk.com for those key words to find sample queries.

Here's one answer that's relevant:

https://answers.splunk.com/answers/527671/how-to-generate-a-search-to-find-the-wrong-user-lo.html

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Can you give more details? What do you mean with unsuccessful connection attempts?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...