TechQA.

Finding brute force attacks with splunk

1.3k views Asked by At

I have a few login failures then a success for Administrator and this is what I have but it doesn't seem to be getting any results:

source=WinEventLog:Security EventCode=4625 OR EventCode=4624 
 | bin _time span=5m as minute 
 | eval username=mvindex(Account_Name, 1)
 | stats count(Keywords) as Attempts,
 count(eval(match(Keywords,"Audit Failure"))) as Failed,
 count(eval(match(Keywords,"Audit Success"))) as Success by minute username
 | where Failed>=2
 | stats dc(username) as Total by minute 
 | where Total>3

Any ideas on a better way to find failed login attempts for a user and then a successful login?

splunk splunk-query intrusion-detection splunk-formula splunk-calculation
Original Q&A
1

There are 1 answers

0
RichG On BEST ANSWER

The Splunk Security Essentials app has an example Brute Force Attempt Detection query.

Related Questions in SPLUNK

Related Questions in SPLUNK-QUERY

Related Questions in INTRUSION-DETECTION

Related Questions in SPLUNK-FORMULA

Related Questions in SPLUNK-CALCULATION

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions