2024-11-15 // Security Team
Brute Force Login Detection
SplunkDetects repeated failed authentication attempts against a single account within a short time window, indicative of password brute-forcing activity.
authenticationbrute-forcecredential-attacksplunk
Overview
This detection identifies brute force login attempts by counting failed authentication events per source IP and target account within a sliding 5-minute window.
Query
index=auth sourcetype=linux_secure action=failure
| bin _time span=5m
| stats count AS failed_attempts, dc(src_ip) AS unique_ips BY _time, user
| where failed_attempts > 10
| eval risk_score=case(failed_attempts>50, "CRITICAL", failed_attempts>20, "HIGH", true(), "MEDIUM")
| table _time, user, failed_attempts, unique_ips, risk_score
| sort -failed_attempts
Logic Explanation
The query bins events into 5-minute windows, then counts failed authentication attempts per user. A threshold of 10 failures flags potential brute force activity. The risk scoring escalates based on volume.
Tuning Notes
- Adjust
failed_attempts > 10based on your environment's baseline - Whitelist service accounts or known automation using
| where NOT user IN ("svc_backup","svc_monitor") - Consider adding
dc(src_ip)threshold to differentiate distributed vs single-source attacks
References
- MITRE ATT&CK: T1110.001 - Brute Force: Password Guessing