使用 splunk 查找暴力攻击
Finding brute force attacks with splunk
我有几次登录失败然后管理员成功,这就是我所拥有的,但它似乎没有得到任何结果:
source=WinEventLog:Security EventCode=4625 OR EventCode=4624
| bin _time span=5m as minute
| eval username=mvindex(Account_Name, 1)
| stats count(Keywords) as Attempts,
count(eval(match(Keywords,"Audit Failure"))) as Failed,
count(eval(match(Keywords,"Audit Success"))) as Success by minute username
| where Failed>=2
| stats dc(username) as Total by minute
| where Total>3
关于查找用户失败的登录尝试然后成功登录的更好方法有什么想法吗?
Splunk Security Essentials 应用有一个暴力尝试检测查询示例。
我有几次登录失败然后管理员成功,这就是我所拥有的,但它似乎没有得到任何结果:
source=WinEventLog:Security EventCode=4625 OR EventCode=4624
| bin _time span=5m as minute
| eval username=mvindex(Account_Name, 1)
| stats count(Keywords) as Attempts,
count(eval(match(Keywords,"Audit Failure"))) as Failed,
count(eval(match(Keywords,"Audit Success"))) as Success by minute username
| where Failed>=2
| stats dc(username) as Total by minute
| where Total>3
关于查找用户失败的登录尝试然后成功登录的更好方法有什么想法吗?
Splunk Security Essentials 应用有一个暴力尝试检测查询示例。