Detection rules › Splunk
Detect Password Spray Attempts
This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts from a single source. A password spray attack is a type of brute force attack where an attacker tries a few common passwords across many different accounts to avoid detection and account lockouts. By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing comprehensive coverage and enhancing security against these attacks.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110.003 Brute Force: Password Spraying |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4625 | An account failed to log on. |
Stages and Predicates
Stage 1: tstats
tstats WHERE NOT Authentication.src IN ("-", "unknown") Authentication.action="failure" BY _time, Authentication.action, Authentication.app, Authentication.authentication_method, Authentication.dest, Authentication.signature, Authentication.signature_id, Authentication.src, sourcetype
Stage 2: search
search
Stage 3: appendpipe
appendpipe
Stage 4: fillnull
fillnull
Stage 5: eval
eval ... using (signature_id, sourcetype, src)
Stage 6: eventstats
eventstats
Stage 7: eval
eval ... using (fnscounter)
Stage 8: stats
stats BY counter, unique_accounts, _time
Stage 9: sort
sort _time, unique_accounts
Stage 10: dedup
dedup _time, counter
Stage 11: eventstats
eventstats avg(unique_accounts) AS comp_avg BY counter
Stage 12: eval
eval ... using (comp_avg, comp_std)
Stage 13: eval
eval ... using (unique_accounts, upperBound)
Stage 14: replace
replace
Stage 15: where
where isOutlier=1
Stage 16: search
search
Stage 17: table
table _time, action, app, counter, signature_id, sourcetype, src, total_failures, unique_accounts, unique_user_names
Stage 18: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | src | in | "-", "unknown" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Authentication.action | eq |
|
isOutlier | eq |
|