Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Brute Force Attack false alert

MalcolmC
New Member
‎11-13-2023 02:26 PM

we had a vendor setup a Splunk instance for us a while ago and one of the things they did was setup a Brute Force attack alert using the following search,
| tstats summariesonly=t allow_old_summaries=t count from datamodel=Authentication by Authentication.action, Authentication.src
| rename Authentication.src as source, Authentication.action as action
| chart last(count) over source by action
| where success>0 and failure>20
| sort -failure
| rename failure as failures
| fields - success, unknown
Now this seems to work OK as I'm getting regular alerts, but these alerts contain little if any detail. Sometimes they contain a server name, so I've checked that server. I can see some failed login attempts on that server, but again, not detail. No account details, not IPs, no servers names.
It may be some sort of scheduled task as i get an alert from Splunk every hour and every time it has about the same number of Brute Force attacks (24). But I can't see any scheduled tasks that may cause this.

Does anyone have any suggestions on how to track down what is causing these false alerts ?

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-13-2023 02:46 PM

Change the search to add in to the user and destination so it's captured, e.g.

| tstats summariesonly=t allow_old_summaries=t count values(Authentication.dest) as dest values(Authentication.user) as user from datamodel=Authentication by Authentication.action, Authentication.src
| rename Authentication.* as *
| chart last(count) values(dest) as dests values(user) as users over src by action

i.e. change the first 3 lines to add in the values - not also the wildcard rename

You can add more fields from the Authentication datamodel if you need more information

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...