英文:
Splunk Brute Force Alerts showing only unknown
问题
所以我们有一些外部承包商为我们设置了Splunk实例,其中之一是为我们设置了Brute Force Alert邮件。
似乎是基于以下查询设置的:
| tstats summariesonly=t allow_old_summaries=t count from datamodel=Authentication by Authentication.action, Authentication.src
| rename Authentication.src as source, Authentication.action as action
| chart last(count) over source by action
| where success>0 and failure>20
| sort -failure
| rename failure as failures
| fields - success, unknown
但报告只显示源未知。
我如何找出可能是什么导致了这些“警报”?
英文:
So we had some external contractors setup our splunk instances for us, and one of the things they setup for us was a Brute Force Alert email.
It seems to be based on the following query,
| tstats summariesonly=t allow_old_summaries=t count from datamodel=Authentication by Authentication.action, Authentication.src
| rename Authentication.src as source, Authentication.action as action
| chart last(count) over source by action
| where success>0 and failure>20
| sort -failure
| rename failure as failures
| fields - success, unknown
But all the report is showing me is that the source is unknown.
how can i find out what might be creating these "alerts" ?
答案1
得分: 1
认证数据模型在必需字段没有值或不存在时使用 "unknown"。
确保您的身份验证事件符合 CIM 标准。根据需要添加字段别名、evals 或提取以填充数据模型的 src 字段。
英文:
The Authentication data model uses "unknown" when a required field has no value or is not present.
Make sure your authentication events are CIM-compliant. Add field aliases, evals, or extractions as necessary to populate the data model's src field.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论