Splunk Brute Force Alerts 仅显示未知。

huangapple go评论57阅读模式
英文:

Splunk Brute Force Alerts showing only unknown

问题

所以我们有一些外部承包商为我们设置了Splunk实例,其中之一是为我们设置了Brute Force Alert邮件。
似乎是基于以下查询设置的:

| tstats summariesonly=t allow_old_summaries=t count from datamodel=Authentication by Authentication.action, Authentication.src 
| rename Authentication.src as source, Authentication.action as action 
| chart last(count) over source by action 
| where success>0 and failure>20 
| sort -failure 
| rename failure as failures 
| fields - success, unknown

但报告只显示源未知。

我如何找出可能是什么导致了这些“警报”?

英文:

So we had some external contractors setup our splunk instances for us, and one of the things they setup for us was a Brute Force Alert email.
It seems to be based on the following query,

| tstats summariesonly=t allow_old_summaries=t count from datamodel=Authentication by Authentication.action, Authentication.src 
| rename Authentication.src as source, Authentication.action as action 
| chart last(count) over source by action 
| where success>0 and failure>20 
| sort -failure 
| rename failure as failures 
| fields - success, unknown

But all the report is showing me is that the source is unknown.

how can i find out what might be creating these "alerts" ?

答案1

得分: 1

认证数据模型在必需字段没有值或不存在时使用 "unknown"。

确保您的身份验证事件符合 CIM 标准。根据需要添加字段别名、evals 或提取以填充数据模型的 src 字段。

英文:

The Authentication data model uses "unknown" when a required field has no value or is not present.

Make sure your authentication events are CIM-compliant. Add field aliases, evals, or extractions as necessary to populate the data model's src field.

huangapple
  • 本文由 发表于 2023年6月29日 07:34:05
  • 转载请务必保留本文链接:https://go.coder-hub.com/76577275.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定