cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
MalcolmC
New Member
Member since: ‎05-03-2021
‎11-13-2023
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-03-2021
Activity Feed
View All

Brute Force Attack false alert

by in Splunk Search
‎11-13-2023 02:26 PM
‎11-13-2023 02:26 PM
we had a vendor setup a Splunk instance for us a while ago and one of the things they did was setup a Brute Force attack alert using the following search, | tstats summariesonly=t allow_old_summaries=t count from datamodel=Authentication by Authentication.action, Authentication.src | rename Authentication.src as source, Authentication.action as action | chart last(count) over source by action | where success>0 and failure>20 | sort -failure | rename failure as failures | fields - success, unknown Now this seems to work OK as I'm getting regular alerts, but these alerts contain little if any detail. Sometimes they contain a server name, so I've checked that server. I can see some failed login attempts on that server, but again, not detail. No account details, not IPs, no servers names. It may be some sort of scheduled task as i get an alert from Splunk every hour and every time it has about the same number of Brute Force attacks (24). But I can't see any scheduled tasks that may cause this. Does anyone have any suggestions on how to track down what is causing these false alerts ? ... View more
Labels

How to achieve brute force alerts?

by in Security
‎05-21-2023 08:29 PM
‎05-21-2023 08:29 PM
we had a vendor setup our Splunk instance and configure a "Brute Force Attack" alert with the following query. --- orginal brute force alert ---- | tstats summariesonly=t allow_old_summaries=t count from datamodel=Authentication by Authentication.action, Authentication.src | rename Authentication.src as source, Authentication.action as action | chart last(count) over source by action | where success>0 and failure>20 | sort -failure | rename failure as failures | fields - success, unknown This seemed to be working OK, but lately we've been getting a lot of emails from it. Most I've fixed, it was a bad password in a automated job. But the last one left on my list, the source is listed as "unknown" and I cant seem to find any more information about it. I'm new to splunk so probably not looking in the correct place the correct way. Has anyone got any suggestions on how to track down what it might be ? ... View more
Labels

Upgrade Process 8.0.3 to 8.1.3

by in Installation
‎05-03-2021 09:09 PM
‎05-03-2021 09:09 PM
Hi All, I'm new to Splunk administration and have been tasked with upgrading our 8.0.3 instance to 8.1.3. We have 1 indexer and 1 search head. Which do i upgrade first ? All windows based. thanks. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-13-2023 11:22 PM