- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Enterprise Security: Is Splunk is able to detect low and slow password attack using correlation search?

dellytaniasetia
Explorer
11-03-2016
11:40 PM
Hi
Is Splunk is able to detect low and slow password attack using correlation search? E.g. hacker attempt to guess password by keep trying 2-3 times (below account lockout threshold) everyday until he managed to get the correct password without getting the user's account locked.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
varad_joshi
Communicator
11-03-2016
11:49 PM
Splunk will detect if you configure it to detect.
Not sure if there is an inbuilt functionality but here is what I do.
Setup an search that checks for failed password on daily basis. Check for ids which are constantly appearing on daily basis for x number of times. If the pattern continues then you know if a hacker is trying to break into a particular id.
