Splunk Enterprise Security

When is a Failed Login, not a failed login...

jacqu3sy
Path Finder

Hi,

How can I prevent the Splunk Nix TA from mapping the following event to a 'Failed Login' within the Authentication Data Model.

sshd[31604]: [ID 800047 auth.notice] Failed none for bla from 10.x.x.x. port 63604 ssh2

I basically want to exclude anything where the phrase 'Failed none' is seen in the raw event.

The following content from the props, in conjunction with the lookup listed below, is mapping the event as action=failed.

[syslog]

Event extractions by type

...
LOOKUP-action_for_syslog = nix_action_lookup vendor_action OUTPUTNEW action
...

From the lookup file:
vendor_action action
...
failed failure
...

I can hash out the line above in the lookup file, but this would then also drop genuine failed logins which I still want to capture.

Any help appreciated.

0 Karma

jawaharas
Motivator

You can change search string of eventtype string to exclude the keyword 'Failed none'.

The list of event types can be referred from 'Settings->Event Types' in GUI.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Pls review the default/eventtypes.conf and tags.conf to understand current mapping between events/eventtypes and 'authentication' tag. You can then create a new eventtypes or adjust existing ones to exlcude your event(s) getting 'failed logon' eventtype and auth tags. [ and/or by using your specific sourcetypes in the exclusion]

0 Karma

jacqu3sy
Path Finder

Ah, you mean 'read the documentation' - If only I'd thought of that...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...