How to write a query to detect Brute-force attack ...

phanichintha · ‎07-20-2020

Hello,

I wrote a query for windows AD to detect Brute-force attack
index="main" (EventCode=4624 OR EventCode=4625) Account_Name="*" NOT Account_Name="-"
| stats count(Keywords) as Attempts, count(eval(match(Keywords,"Audit Failure"))) as Failed,
count(eval(match(Keywords,"Audit Success"))) as Success
earliest(_time) as FirstAttempt latest(_time) as LatestAttempt by Account_Name
| where Attempts>=5 AND Failed>=5 AND Success>0
| eval FirstAttempt=strftime(FirstAttempt,"%x %X")
| eval LatestAttempt=strftime(LatestAttempt,"%x %X")

So same like this can anyone share the exact query for two scenarios.
1. Linux machines
2. ForgeRock authentication

gcusello · ‎07-21-2020

Hi @phanichintha,

as you did for Windows (index="main" (EventCode=4624 OR EventCode=4625) Account_Name="*" NOT Account_Name="-"), you have to find an eventtype for Linux and ForgeRock.

For Linux, you could use these eventtypes:

[Linux_Audit]
search = index=os sourcetype=linux_secure NOT disconnect

[Linux_Logfail]
search = eventtype=Linux_Audit "failed password"

[Linux_Login]
search = eventtype=Linux_Audit "accepted password"

[Linux_Logout]
search = eventtype=Linux_Audit "session closed"

For ForgeRock I cannot help you because I don't know it, but you can follow my approach.

Ciao.

Giuseppe

How to write a query to detect Brute-force attack from Linux machines and ForgeRock authentication

What’s New & Next in Splunk SOAR

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

September Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?

How to write a query to detect Brute-force attack from Linux machines and ForgeRock authentication

What’s New & Next in Splunk SOAR

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

September Community Champions: A Shoutout to Our Contributors!