A simple search can easily alert you to the possibility of a brute force or dictionary attack on the network’s resources. Start by modeling your search. The idea here is to collect fields and terms by which to identify Authentication Failures.
Start by generating a failure. Look for the device in Splunk and find the line that shows the failure. This will allow you to pick out certain characteristics of the line that allow you to create a search string. I noticed over several devices I had different types of entries in the log that indicated a failure. Some had bad password, some had FailedAuth, and others had Authen failed. So, to start with I created a search to find all entries in my main index that had one of these and then set an alert that would notify me if we had more than 5 failed login attempts over a 15 minute time frame.
index=main ("bad password" OR "FailedAuth" OR "Authen failed")
I also noticed several common login attempts that were showing up that no one on my network should be using such as root and admin. By default these accounts are changed to something else, so anyone trying to login using these accounts must be an attacker. I created a search to find those names and created an alert to let me know anytime one of these names shows up.
index=main ("bad password" OR "FailedAuth" OR "Authen failed") (User_Name="admin” OR “root” OR “administrator” OR “any other name I see that doesn’t fit”)
I also noticed that some of these guys were being sneaky with their attacks. They spread them out so my time frame threshold would not be met. So, I created another search that would run before I got in the next morning and tell me which usernames had the highest failure rates over the previous day. I would assume anything less that 5 attempts is fairly harmless, so to eliminate fat finger failures, I only wanted usernames that had failed more than 5 times.
index=main ("bad password" OR "FailedAuth" OR "Authen failed") | top User_Name | where count > 5
Guarding your IT Experience!