Question of this section is:
Construct a Splunk query targeting the “ssh_bruteforce” index and the “bro:ssh:json” sourcetype. The resulting output should display the time bucket, source IP, destination IP, client, and server, together with the cumulative count of authentication attempts where the total number of attempts surpasses 30 within a 5-minute time window. Enter the IP of the client that performed the SSH brute attack as your answer.
By using the below query we can see there are 17 events in total:
index=“ssh_bruteforce” sourcetype=“bro:ssh:json” latest=now
So, obviously if we search for 30+ attempts within a 5-minute time window we get 0 results.
There is only one source IP address in the events but I think the question is wrong.
Am I wrong?