Authentications zero successes - SIEM

Hi there,

I deployed with azure the solution "Elasticsearch (Self-Managed)" and im getting an odd error.

When i go to the SIEM part > Hosts > Authentications, it only returns fails and zero successes as per the image below.

Any thoughts?
Ive tryed diferent version of Elastik Seacrh.

Is it a license thing?

Hi @fabinho1314,

It might be worth taking a look at the Data Sources which can be found on the Hosts page and seeing if it is reading from a source which should have successful authentications.

In a nutshell, you can look at the Elastic DSL query directly by clicking on the magnifying glass of any widget, but if you want to see if you have an successes you can also use timeline through this KQL query:

"event.category": "authentication" and "event.outcome": "success"

We're checking for both of those to see if there is a success. If you have a lot of failures like I see below that's the query:

"event.category": "authentication" and "event.outcome": "failure"

You can change your Kibana Index patterns in either Data Sourcer at the top of each page and within timeline:

To explore and see what indexes have what data. The dashes in the above screenshot for "Last success" and "Last successful source" seem to show that those fields aren't filled out within your index.

The large number of failures seems to indicate that you have outsiders attacking your network and trying to use the user of either "administrator" or "ADMINISTRATOR" with lots of failures and no successes. Or you have a rouge process/script doing something with lots of failures.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.