Member-only story
Splunk series: Rule Development (Part 3)
Hello, my digital adventurers! In today’s blog, I will show you how to create a rule or alert (in Splunk terms) in Splunk. This is the 3rd part of my series, and I will continue to share more insights about Splunk. If you want specific topics from me, you can ask in the comments section.
I will start with the most basic and well-known rule — the Brute Force Attack detection rule. I will write this rule for Windows. But before writing the rule, we must analyze which factors indicate a brute-force attack.
Explanation
As you know, Brute Force attacks involve repeatedly trying different passwords until the correct one is found. To perform brute force attacks, attackers can use different types of automated tools. Until the correct password is found, the attacker will make multiple failed attempts, and this is the key for us.
So that’s why we first look at Windows Event IDs to see failed login attempts. Until finding the right password, the attacker makes multiple attempts, and these attempts are logged with Event ID = 4625 in Security logs.
