Splunk Enterprise Security

Splunk Enterprise Security: Is Splunk is able to detect low and slow password attack using correlation search?

dellytaniasetia
Explorer

Hi

Is Splunk is able to detect low and slow password attack using correlation search? E.g. hacker attempt to guess password by keep trying 2-3 times (below account lockout threshold) everyday until he managed to get the correct password without getting the user's account locked.

Thanks

0 Karma

varad_joshi
Communicator

Splunk will detect if you configure it to detect.

Not sure if there is an inbuilt functionality but here is what I do.

Setup an search that checks for failed password on daily basis. Check for ids which are constantly appearing on daily basis for x number of times. If the pattern continues then you know if a hacker is trying to break into a particular id.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...