Splunk Enterprise Security

How do you use Splunk Enterprise Security to prevent password spraying and guessing?

sahiltcs
Path Finder

Hello,

I am looking for a query based on my below scenario use case :
user passwords shall comply with minimum complexity requirements. These requirements only partially protect from the risk that weak passwords are used and exploited. Several databases of commonly used password exist and contain passwords that are compliant with DB password complexity policy. An attacker may test a large number of user accounts to find a user that has adopted a common password. This attack is known under the name of password spraying. Due to the large number of users and passwords to be tested, the attack must be automated with scripts that repeatedly test one password on multiple accounts. This monitoring use case should be implemented to enhance protection against weak passwords.

The detection rule shall be based on the following filter criteria:
•Select events with Log Event ID 4771 - Kerberos pre-authentication failed (all these events refer to a failed log in attempt)

•Remove duplicates: Filter out all events where the client address belongs to one of the DB Domain Controller servers (list of DC servers required!!)

•Count the number of failed logins per day per client address

•Count the number of subject account names per client address.

•Raise an alert for when a given client addresses both counts exceeding the defined thresholds X and Y

Sensible thresholds should be defined while testing the use case, an initial suggestion is:

X = 100 -> More than 100 failed log in per day

Y = 80 -> Failed logins correspond to a minimum of 80 different subject account name

0 Karma

woodcock
Esteemed Legend

Like this:

index=win* EventCode="4771" AND NOT [|inputlookup DomainControllers.csv | table host]
| dedup Your Duplication Fields Listed Here
| bin _time span=1d
| stats values(user) dc(user) AS num_users count span=1d BY dest _time
| search count>X AND num_users>Y

sahiltcs
Path Finder

We don't have domain controllers.csv file uploaded But can we use this query and get the result which we are looking in above question?

0 Karma

mpasha
Path Finder

Mr. Woodcock,
Thanks for the solution. it is simple and working like a charm !!!!!

0 Karma

woodcock
Esteemed Legend

Yes, but it will obviously include DCs, too. Just remove the AND NOT ... part.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I believe the Splunk Security Essentials app (https://splunkbase.splunk.com/app/3435/) has a similar use case.

---
If this reply helps you, Karma would be appreciated.
0 Karma

sahiltcs
Path Finder

Is there use cases for failed login, brute force attacks are in Splunk security essentials Where prebuild query is there and we can set up thresholds and send alerts ?

Thanks,
Sahil

0 Karma

ssadh_splunk
Splunk Employee
Splunk Employee

You can download the app from Splunkbase. It has 400+ Use Cases with prebuilt SPL queries & data onboarding guides and lots of other information around how to implement these Use Cases. A must have app in your repository.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...