Last active
October 14, 2019 13:49
-
-
Save faststeak/8c2f812f3a9650523aea44cae20fbaa7 to your computer and use it in GitHub Desktop.
Splunk searches to find password spraying in Auth DM
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Needs time and host components | |
| | tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Authentication by _time Authentication.src_user Authentication.user | rename Authentication.* as * | stats dc(user) as user_count values(user) as users by src_user | |
| # Base tstats search to get the initial data | |
| | tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Authentication by _time Authentication.action Authentication.src Authentication.dest Authentication.src_user Authentication.user Authentication.signature Authentication.signature_id |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment