Splunk Search

Successful Brute Force Attempts using the Authentication Data Model Question

md
Explorer

Hello all,

I'm trying to create an alert for Successful Brute Force Attempts using the Authentication Data Model. Currently, I'm doing this:

 

 

| tstats summariesonly=true count as success FROM datamodel=Authentication where Authentication.user!="*$*" AND Authentication.action="success" BY _time span=60m sourcetype Authentication.src Authentication.user

| join max=0 _time, sourcetype, Authentication.src, Authentication.user

[| tstats summariesonly=true count as failure FROM datamodel=Authentication where Authentication.user!="*$*" AND Authentication.action="failure" BY _time span=60m sourcetype Authentication.src Authentication.user]

| search success>0 AND failure>0

| where success<(failure*.05)

| rename Authentication.* as *

| lookup dnslookup clientip as src OUTPUT clienthost as src_host

| table _time, user, src, src_host, sourcetype, failure, success

 

 

It aggregates the successful and failed logins by each user for each src by sourcetype by hour. Then it returns the info when a user has failed to authenticate to a specific sourcetype from a specific src at least 95% of the time within the hour, but not 100% (the user tried to login a bunch of times, most of their login attempts failed, but at least one of the login attempts succeeded).

What everyone else would like me to do is look for the traditional pattern for finding Successful Brute Force Attempts - many failed logins followed by a successful one.

I can't seem to find an efficient way of doing that with the Splunk Authentication Data Model. We get a over a million authentication attempts per day and just under 100,000 of those are failures.

We can't afford Splunk Enterprise Security (Higher Ed) and my understanding is that this is more or less how ES Successful Brute Force Detection works anyways.

Do any of you have any advice on finding a pattern of a large number of something (failures, whatever) followed by something else (success, etc.)?

Labels (1)
0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...