Finding brute force attacks with splunk

Question

I have a few login failures then a success for Administrator and this is what I have but it doesn't seem to be getting any results:

source=WinEventLog:Security EventCode=4625 OR EventCode=4624 
 | bin _time span=5m as minute 
 | eval username=mvindex(Account_Name, 1)
 | stats count(Keywords) as Attempts,
 count(eval(match(Keywords,"Audit Failure"))) as Failed,
 count(eval(match(Keywords,"Audit Success"))) as Success by minute username
 | where Failed>=2
 | stats dc(username) as Total by minute 
 | where Total>3

Any ideas on a better way to find failed login attempts for a user and then a successful login?

Here's the same question on /r/Splunk: https://www.reddit.com/r/Splunk/comments/j55u18/how_do_you_detect_brute_force_attacks — warren, Oct 05 '20 at 16:40

score 1 · Accepted Answer · answered Oct 05 '20 at 15:38

1

The Splunk Security Essentials app has an example Brute Force Attempt Detection query.

answered Oct 05 '20 at 15:38

RichG

9,063
2
18
29

Finding brute force attacks with splunk

1 Answers1