Splunk Enterprise Security

Splunk Enterprise Security: Is Splunk is able to detect low and slow password attack using correlation search?

dellytaniasetia
Explorer

Hi

Is Splunk is able to detect low and slow password attack using correlation search? E.g. hacker attempt to guess password by keep trying 2-3 times (below account lockout threshold) everyday until he managed to get the correct password without getting the user's account locked.

Thanks

0 Karma

varad_joshi
Communicator

Splunk will detect if you configure it to detect.

Not sure if there is an inbuilt functionality but here is what I do.

Setup an search that checks for failed password on daily basis. Check for ids which are constantly appearing on daily basis for x number of times. If the pattern continues then you know if a hacker is trying to break into a particular id.

0 Karma
Get Updates on the Splunk Community!

Join the Splunk Developer Program Hackathon: Splunk Build-a-thon!

The Splunk Developer Program is launching in beta, and we’re celebrating with an exciting hackathon! This is ...

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...