Splunk Dev

The issue is that we have so many windows authentication failures after creating Authentication Data model

ngwodo
Path Finder

I created an Authentication data model that has default, Insecure, and Priviledge Authentication Data model. It also uses action=success and action=failures.  Please see screenshot below:

ngwodo_0-1634067370327.png

 

I can see the data coming in from different sources but the issue is  that we have so many windows authentication failures. Please how can I fix this configurations issues? Has anybody come across such issues?

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you sure this is a Splunk issue?  Is it possible Splunk has just pointed out a problem that already exists in your company?

If you built the datamodel yourself, double-check the logic.  

To properly diagnose authentication failures, we need to see the constraint for the Failed Authentication dataset.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ngwodo
Path Finder

The constraints for the Failed Authenication Data model is:

(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$) NOT "pam_unix(sshd:auth): authentication failure;"
action="failure"

 

ngwodo_0-1634160947562.png

 

I have another question. How can I review the event codes that are failing for windows authentication failures?

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm confused.  The Failed Authentication dataset inherits a condition ('NOT "pam_unix(sshd:auth): authentication failure;"') that is not shown in the screenshot of the parent data set in the OP.

I don't understand the new question, either, but new questions usually warrant new postings.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ngwodo
Path Finder

Pardon me. The parent screenshot I shared before was the wrong one. Below is actually the screenshot of the parent dataset:

ngwodo_0-1634163448535.png

 

Please let me know.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Take the constraint from the dataset and run it in a search window.  Verify the results are as expected.  Modify the query as necessary to get the desired results then update the datamodel.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...