LoFP LoFP / this is a hunting search and requires operator to search for large number of login failures from several users indicating possible user enumeration attempts. may capture genuine login failures.

Techniques

Sample rules

Splunk Information Disclosure on Account Login

Description

This is a composed hunting search that looks for possible user enumeration attempts when SAML is enabled on a Splunk instance by capturing different responses from server.

Detection logic

`splunkd` component=UiAuth status=failure action=login TcpChannelThread 
| stats count min(_time) as firstTime max(_time) as lastTime by user status action clientip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `splunk_information_disclosure_on_account_login_filter`