How to search for brute force logins coming from a...

ewonn · ‎04-21-2020

Guys, I am trying to specifically see if I can distinguish when the login attempts are coming from an external source. What else can I add to this search?

```| tstats summariesonly=t allow_old_summaries=t prestats=t count(Authentication.user) from datamodel=Authentication where Authentication.action=block* OR  Authentication.action=fail* groupby _time span=1h, Authentication.user
| tstats append=t summariesonly=t allow_old_summaries=t prestats=t count  from datamodel=Authentication where Authentication.action=success groupby _time span=1d, Authentication.user
| stats count count(Authentication.user) by Authentication.user
| rename count as successes count(Authentication.user) as failures Authentication.* as *
| where successes>0 AND failures>100
| sort - failures
| head```

I also tried the following search, but it didn't work because sometimes the source could be machine name or host name as letters:

NOT (src_ip="10.0.0.0/8" OR src_ip="172.16.0.0/12" OR src_ip="192.168.0.0/16")

richgalloway · ‎04-21-2020

Filter on the Authentication.src field, using criteria that make sense for your environment.

---
If this reply helps you, Karma would be appreciated.

How to search for brute force logins coming from an external source only?

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

New Customer Testimonials