Splunk Search

SPL Query Error

adoumbia
Engager

I am trying to write an spl query to detect an event of a single source IP address  or a user fails multiple time to login to multiple accounts.

can anyone help me write it.

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share some sample anonymised events so that we can see what you are dealing with. Please explain which parts of the events are important for what you are trying to discover. Please share what you would like the results to look like. Without this type of information, we are reduced to attempting to read your mind (and my mind-reading license has been revoked after the unfortunate incident with the estate agent!)

0 Karma

adoumbia
Engager

i want to find out which IP address, hostname or username has failed multiple time to login to multiple accounts.
I am trying to detect brute force attack.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @adoumbia ,

as @ITWhisperer said, it's really difficoult to help you without knowing the events to apply the search.

Anyway, if you need a brute force attack sample search, you can see in the Splunk Security Essentials App ( https://splunkbase.splunk.com/app/3435 ) where you can find what you're searching and many other Security Use Cases.

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share some sample anonymised events so that we can see what you are dealing with. Please explain which parts of the events are important for what you are trying to discover. Please share what you would like the results to look like. Without this type of information, we are reduced to attempting to read your mind (and my mind-reading license has been revoked after the unfortunate incident with the estate agent!)

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...