Techniques
Sample rules
Splunk User Enumeration Attempt
- source: splunk
- technicques:
Description
The following analytic identifies attempts to enumerate usernames in Splunk by detecting multiple failed authentication attempts from the same source. It leverages data from the _audit index, specifically focusing on failed authentication events. This activity is significant for a SOC because it can indicate an attacker trying to discover valid usernames, which is a precursor to more targeted attacks like password spraying or brute force attempts. If confirmed malicious, this activity could lead to unauthorized access, compromising the security of the Splunk environment and potentially exposing sensitive data.
Detection logic
`splunkd_failed_auths`
| stats count(user) as auths by user, src
| where auths>5
| stats values(user) as user, sum(auths) as TotalFailedAuths by src
| `splunk_user_enumeration_attempt_filter`