【问题标题】:Finding brute force attacks with splunk使用 splunk 发现蛮力攻击
【发布时间】:2020-10-05 01:45:32
【问题描述】:

我有几次登录失败,然后管理员成功,这就是我所拥有的,但它似乎没有得到任何结果:

source=WinEventLog:Security EventCode=4625 OR EventCode=4624 
 | bin _time span=5m as minute 
 | eval username=mvindex(Account_Name, 1)
 | stats count(Keywords) as Attempts,
 count(eval(match(Keywords,"Audit Failure"))) as Failed,
 count(eval(match(Keywords,"Audit Success"))) as Success by minute username
 | where Failed>=2
 | stats dc(username) as Total by minute 
 | where Total>3

有什么更好的方法来查找用户的失败登录尝试然后成功登录吗?

【问题讨论】:

标签: splunk splunk-query intrusion-detection splunk-formula splunk-calculation


【解决方案1】:

Splunk Security Essentials 应用有一个示例蛮力尝试检测查询。

【讨论】:

    猜你喜欢
    • 2011-06-10
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2011-06-01
    • 2013-05-28
    • 2021-01-10
    • 1970-01-01
    • 2023-03-30
    相关资源
    最近更新 更多