Developing for Splunk Enterprise

The issue is that we have so many windows authentication failures after creating Authentication Data model

ngwodo
Path Finder

I created an Authentication data model that has default, Insecure, and Priviledge Authentication Data model. It also uses action=success and action=failures.  Please see screenshot below:

ngwodo_0-1634067370327.png

 

I can see the data coming in from different sources but the issue is  that we have so many windows authentication failures. Please how can I fix this configurations issues? Has anybody come across such issues?

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you sure this is a Splunk issue?  Is it possible Splunk has just pointed out a problem that already exists in your company?

If you built the datamodel yourself, double-check the logic.  

To properly diagnose authentication failures, we need to see the constraint for the Failed Authentication dataset.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

ngwodo
Path Finder

The constraints for the Failed Authenication Data model is:

(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$) NOT "pam_unix(sshd:auth): authentication failure;"
action="failure"

 

ngwodo_0-1634160947562.png

 

I have another question. How can I review the event codes that are failing for windows authentication failures?

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm confused.  The Failed Authentication dataset inherits a condition ('NOT "pam_unix(sshd:auth): authentication failure;"') that is not shown in the screenshot of the parent data set in the OP.

I don't understand the new question, either, but new questions usually warrant new postings.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

ngwodo
Path Finder

Pardon me. The parent screenshot I shared before was the wrong one. Below is actually the screenshot of the parent dataset:

ngwodo_0-1634163448535.png

 

Please let me know.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Take the constraint from the dataset and run it in a search window.  Verify the results are as expected.  Modify the query as necessary to get the desired results then update the datamodel.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!