- Incident Type: SSH Brute Force Attack
- Severity: High
- Detection Method: Splunk SIEM Log Analysis
- Tools Used: Splunk Enterprise, Ubuntu Server, Kali Linux (Hydra)
- Status: Detected and Analyzed (No Confirmed Compromise)
A brute force attack targeting SSH services was detected using Splunk SIEM. The attacker attempted to gain unauthorized access by generating multiple failed login attempts from a single source IP within a short timeframe.
The activity was identified through log aggregation and pattern analysis of authentication logs ingested into Splunk.
- Target System: Ubuntu Server (SSH Enabled)
- Attack Source: Kali Linux (Simulated Attacker)
- Log Source:
/var/log/auth.log - SIEM Platform: Splunk Enterprise
- Configured SSH service on Ubuntu target system
- Created user accounts for authentication testing
- Installed and configured Splunk Enterprise
- Enabled log forwarding using Splunk Universal Forwarder
- Performed SSH brute force attack using Hydra
- Generated multiple failed login attempts
- Targeted valid and invalid user accounts
- Ingested
/var/log/auth.loginto Splunk - Verified logs using:
index=main
- Confirmed visibility of authentication events
A brute force attack is identified when:
- Multiple failed login attempts occur
- Attempts originate from a single IP
- Activity occurs within a short timeframe
index=main "Failed password"
| rex "from (?<src_ip>\d+\.\d+\.\d+\.\d+)"
| stats count as failed_attempts by src_ip
| where failed_attempts > 3
| sort - failed_attempts
- Extracted source IP addresses from logs
- Aggregated failed login attempts per IP
- Identified top offending IP responsible for attack
- Identified high volume of failed login attempts from a single IP
- Observed rapid sequence of authentication failures
- Checked for successful login attempts after failures
- Confirmed attack behavior consistent with brute force activity
- High number of failed SSH login attempts
- Repeated authentication attempts from single source IP
- Rapid login attempts within short time interval
- Targeting of valid user accounts
| Behavior | Technique ID | Description |
|---|---|---|
| Brute Force Login | T1110.001 | Password Guessing |
| Remote Service Access | T1021.004 | SSH |
| Valid Account Targeting | T1078 | Account Abuse |
- Confirmed SSH brute force attack activity
- Single source IP responsible for repeated login attempts
- No successful compromise detected during attack window
- Attack indicates reconnaissance and credential access attempt
- Monitor repeated authentication failures in real-time
- Block or blacklist offending IP address
- Enable alerting rules in Splunk for brute force detection
- Enforce account lockout policies
- Review authentication logs for any future successful login attempts
Brute force attacks rely on automation to exploit weak authentication mechanisms. SIEM tools like Splunk enable early detection through log aggregation and pattern recognition, allowing SOC analysts to respond before compromise occurs.
This investigation demonstrates the ability to:
- Ingest and analyze logs in Splunk
- Detect brute force attacks using SPL queries
- Identify malicious patterns in authentication logs
- Perform SOC-style investigation and reporting
- Map attack behavior to MITRE ATT&CK framework
├── README.md
├── images/
│ ├── 01_setup.png
│ ├── 02_attack.png
│ ├── 03_ingestion.png
│ ├── 04_detection.png
│ ├── 05_investigation.png
│ ├── 06_incident_report.png
├── logs.txt
├── splunk_queries.md
This investigation demonstrates how SSH brute force attacks can be effectively detected using Splunk SIEM. By analyzing authentication logs and identifying abnormal login patterns, SOC analysts can detect and respond to credential based attacks before system compromise occurs.




