Description
This detection identifies multiple failed login attempts originating from the same source IP address within a short time period. This pattern is commonly associated with brute force attacks, where an attacker attempts to gain unauthorized access by systematically trying different passwords. The detection focuses on authentication failures across various systems and services, providing early warning of potential credential-based attacks.
Detection Details
- Tool
- Splunk
- Category
- SIEM
- Severity
- Medium
- Status
- Active
Metadata
- ID
- SPLUNK-002
- Author
- Fatima Al Zadjali
- Last Updated
- 2023-10-28
MITRE ATT&CK Techniques
False Positives
- Forgotten passwords by legitimate users
- Misconfigured applications or services
- Password changes causing temporary authentication failures
Tool-Specific Rule Format
[Multiple Failed Logins from Same Source IP]
search = index=windows EventCode=4625 OR index=linux "Failed password" OR index=proxy "HTTP 401" | stats count by src_ip, user | where count > 5
alert.severity = medium
alert.suppress = false
alert.track = true
counttype = number of events
cron_schedule = */15 * * * *
description = Detects multiple failed login attempts from the same source IP address, which may indicate a brute force attack.
dispatch.earliest_time = -15m
dispatch.latest_time = now
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_app = search
request.ui_dispatch_view = search
Query
index=windows EventCode=4625 OR index=linux "Failed password" OR index=proxy "HTTP 401" | stats count by src_ip, user | where count > 5Implementation Notes
This rule should be implemented as a scheduled search in Splunk. The search looks for specific patterns in your log data. Consider tuning the search to exclude known legitimate activities in your environment. You may need to adjust the cron schedule and time window based on your log volume and performance considerations.
Alert Details
View Detection RuleWhy This Alert Fired
This alert was triggered by a Splunk detection rule that identified detects multiple failed login attempts from the same source ip address, which may indicate a brute force attack.
Investigation Steps
- Review the full event details in the SIEM platform
- Search for the full event using the query below:
index=windows EventCode=4625 OR index=linux "Failed password" OR index=proxy "HTTP 401" | stats count by src_ip, user | where count > 5
- Examine the context of the event, including user, host, and network information
- Look for unusual patterns or deviations from normal behavior
- Check if the activity is consistent with the user's role and typical activities
- Check for related events before and after the detection time
- Verify if the activity is expected for the user/system in question
- Correlate with other security events from the same source or target
True Positive Indicators
- Multiple failed attempts across different accounts
- Login attempts originating from unusual geographic locations
- Failed logins followed by successful login
- Attempts occurring outside normal business hours
False Positive Indicators
- Forgotten passwords by legitimate users
- Misconfigured applications or services
- Password changes causing temporary authentication failures
Recommended Response Actions
This detection requires investigation to determine if action is needed.
- Investigate the activity thoroughly before taking action
- If confirmed malicious, isolate affected systems
- Reset credentials if account compromise is suspected
- Monitor for additional related activity
- Document findings for future reference
Documentation & Evidence Collection
- Document all investigation steps and findings in the case management system
- Capture screenshots of relevant events and timelines
- Export raw logs and preserve them as evidence
- Document any systems accessed and actions taken during investigation
- Record all remediation actions if a true positive is confirmed