Hello I have this Splunk built In rule: " Brute Force Access Behavior Detected Over 1d" | tstats `summariesonly` values(Authentication.app) as app,count from datamodel=Authentication.Authent...
See more...
Hello I have this Splunk built In rule: " Brute Force Access Behavior Detected Over 1d" | tstats `summariesonly` values(Authentication.app) as app,count from datamodel=Authentication.Authentication where earliest=-1d by Authentication.action,Authentication.src,index | `drop_dm_object_name(\"Authentication\")` | eval success=if(action=\"success\",count,0),failure=if(action=\"failure\",count,0) | stats values(app) as app,sum(failure) as failure,sum(success) as success by src,index | where success > 0 | `mltk_apply_upper(\"app:failures_by_src_count_1d\", \"medium\", \"failure\")` | rex field=index \"(?<bu_prefix>[a-zA-Z]+)\" | lookup org_lookup.csv bu_prefix OUTPUTNEW Organization" 1. How can I add to this query indication of which user was used? 2. The query shows app list + number of failures + number of successes, but no correlation of failures/successes to apps, how can I do that? 3. How can I add to the query failure reason? 4. If there is IP address only made several failed login attempts to one user. How can we catch such a scenario? Thanks!