Splunk Search

Brute Force Attack false alert

MalcolmC
New Member

we had a vendor setup a Splunk instance for us a while ago and one of the things they did was setup a Brute Force attack alert using the following search,
| tstats summariesonly=t allow_old_summaries=t count from datamodel=Authentication by Authentication.action, Authentication.src
| rename Authentication.src as source, Authentication.action as action
| chart last(count) over source by action
| where success>0 and failure>20
| sort -failure
| rename failure as failures
| fields - success, unknown
Now this seems to work OK as I'm getting regular alerts, but these alerts contain little if any detail. Sometimes they contain a server name, so I've checked that server. I can see some failed login attempts on that server, but again, not detail. No account details, not IPs, no servers names.
It may be some sort of scheduled task as i get an alert from Splunk every hour and every time it has about the same number of Brute Force attacks (24). But I can't see any scheduled tasks that may cause this.

Does anyone have any suggestions on how to track down what is causing these false alerts ?

Labels (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Change the search to add in to the user and destination so it's captured, e.g.

| tstats summariesonly=t allow_old_summaries=t count values(Authentication.dest) as dest values(Authentication.user) as user from datamodel=Authentication by Authentication.action, Authentication.src
| rename Authentication.* as *
| chart last(count) values(dest) as dests values(user) as users over src by action

i.e. change the first 3 lines to add in the values - not also the wildcard rename

You can add more fields from the Authentication datamodel if you need more information

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...