Splunk Enterprise Security

Splunk Enterprise Security: Is Splunk is able to detect low and slow password attack using correlation search?

dellytaniasetia
Explorer

Hi

Is Splunk is able to detect low and slow password attack using correlation search? E.g. hacker attempt to guess password by keep trying 2-3 times (below account lockout threshold) everyday until he managed to get the correct password without getting the user's account locked.

Thanks

0 Karma

varad_joshi
Communicator

Splunk will detect if you configure it to detect.

Not sure if there is an inbuilt functionality but here is what I do.

Setup an search that checks for failed password on daily basis. Check for ids which are constantly appearing on daily basis for x number of times. If the pattern continues then you know if a hacker is trying to break into a particular id.

0 Karma
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...