×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Cozy
Loves-to-Learn
Member since: ‎06-26-2024
‎06-28-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-26-2024
Activity Feed
View All

Re: Modification of query for detecting Successful...

by in Splunk Search
‎06-28-2024 09:35 AM
‎06-28-2024 09:35 AM
I've implemented your suggested logic and enhanced it to detect password spray attempts and also alert when there's a successful login from the same source following a spray attempt. Specifically, I added conditions to detect successful logins from the same source following a spray attempt. Here’s a summary of the changes: Added a check for successful logins:   dc(eval(if('data.type'="s", 'data.user_name', null()))) AS unique_successful_accounts​   Categorized alerts: An eval statement to differentiate the alert type as "Successful After attempt" if there's a successful login after the failed attempts. These changes ensure that the query not only detects password spray attempts but also alerts when there's a successful login following the spray attempt. Thank you so much for your help! ... View more

Modification of query for detecting Successful Log...

by in Splunk Search
‎06-26-2024 06:49 AM
‎06-26-2024 06:49 AM
Hello, I need some help with adjusting an alert for detecting a password spray attack using Auth0 logs in Splunk. What I'm looking for is to not just catch the password spray itself but also get alerted when there's a successful login from the same source right after the spray attempt. Currently, I have the following query that detects password spray attempts by identifying IPs with more than 10 unique failed login attempts within a 5-minute window:     index = auth0 (data.type IN ("fu", "fp")) | bucket span=5m _time | stats dc(data.user_name) AS unique_accounts values(data.user_name) as tried_accounts values(data.client_name) as clientName values(data.type) as failure_reason by data.ip | where unique_accounts > 10   Is there an way to adjust this query to also detect and alert on successful logins (data.type = "s") from the same IPs that performed the spray attack? I am looking to create an alert that indicates a successful login following the spray, so we can respond accordingly. Log Event Type Codes (auth0.com) Thank you ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-28-2024 01:04 PM