How Can we do it in all the universal forwarders? I have already done this in indexer,deployments server/license master, heavy forwarders, search heads.
We have like 1000 hosts reporting to splunk, How Can I do this manually on all uf?
... View more
I don't want to see brute force from DC as this is of no use but instead from actual users, I am stuck at place where this extreme search is defined in the rule "xswhere failure from failures_by_src_count_1h in authentication is above medium"
I want to replace this failures_by_src_count_1h from failures_by_user_count_1h but don't have an idea how to change this. Any help in this would be appreciated.
... View more
Anyone having idea about source and destination fields in this alert. I want to tune this for our environment since when any user connects through VPN or RDP I am getting this alert.
Below is the source from which is being used.
source="Access - Geographically Improbable Access - Summary Gen"
If anyone has tuned this for their environment please let me know?
... View more