topic Re: Only Failed Users without Any other Successful attempts in Security

Only Failed Users without Any other Successful attempts

moayadalghamdi — Sun, 11 Jul 2021 10:38:07 GMT

Hello Splunkers

i want to print events for only the users who has failed login attempts but never allowed attempts.

here's my search index=MyApp eventype=authentication action=fail user=*

but this one prints all failures even if they have other successful attempt.

i only want users with only failed attempts without other successful attempts, i hope the picture below clears things:

green: user only have successful logins

Yellow: user have both successful/failed logins

Red: user only have failed logins

i want the red area only

Thanks

Re: Only Failed Users without Any other Successful attempts

ITWhisperer — Sun, 11 Jul 2021 10:54:21 GMT

Re: Only Failed Users without Any other Successful attempts

moayadalghamdi — Sun, 11 Jul 2021 11:02:12 GMT

you really deserve the rank LEGEND

Thanks a lot ^_^

Re: Only Failed Users without Any other Successful attempts

moayadalghamdi — Sun, 11 Jul 2021 11:16:02 GMT

another help Mr. Whisperer

i want to show this value as a single count to show it in a "single value" visualization.

Thanks again ^_^

Re: Only Failed Users without Any other Successful attempts

ITWhisperer — Sun, 11 Jul 2021 12:30:06 GMT

Which count? The count of users who failed or the count of failures (by user or total)?

Re: Only Failed Users without Any other Successful attempts

moayadalghamdi — Mon, 12 Jul 2021 06:10:34 GMT

Hello.

i had 27 results of distinct users who never had a successful login, i want those 27 results as a single count value

i want to show it like this

this is a 3d search with span=1d, i want something similar.

thanks ^_^

Re: Only Failed Users without Any other Successful attempts

ITWhisperer — Mon, 12 Jul 2021 06:34:49 GMT

Add

| stats count

to the end to get the 27

Re: Only Failed Users without Any other Successful attempts

moayadalghamdi — Mon, 12 Jul 2021 06:43:35 GMT

sorry but i need it in timechart, so i can see the changes overtime.

i used

| timechart count

and

| timechart span=1d count

but no statistics neither visuals was shown.

pleas help with it, thanks ^_^

Re: Only Failed Users without Any other Successful attempts

ITWhisperer — Mon, 12 Jul 2021 06:47:44 GMT

It would help if you were clear from the outset what the full requirement was! Try this:

| bin _time span=1d | stats values(attempt) as attempt dc(attempt) as count by _time user | where attempt="fail" AND count = 1 | stats count by _time

Re: Only Failed Users without Any other Successful attempts

moayadalghamdi — Mon, 12 Jul 2021 06:52:17 GMT

sorry but its not working.

here's the search.

and here's the search with the count by _time

Re: Only Failed Users without Any other Successful attempts

ITWhisperer — Mon, 12 Jul 2021 06:57:30 GMT

That isn't the search with _time that I suggested - you need to bin the time into days, add it to the first stats so that _time in available for the second stats. Please read and implement the suggestions carefully before saying they don't work. I can't guarantee to get it right every time, but if you don't try what is suggested, how will we know if it works or not?

Re: Only Failed Users without Any other Successful attempts

moayadalghamdi — Mon, 12 Jul 2021 07:02:52 GMT

sorry for that, i took the wrong screen shot.

here's the actual screenshot with the bin command.

im so sorry to bother you.

Re: Only Failed Users without Any other Successful attempts

ITWhisperer — Mon, 12 Jul 2021 07:06:58 GMT

You still haven't got the _time on the first stats!

Re: Only Failed Users without Any other Successful attempts

moayadalghamdi — Mon, 12 Jul 2021 07:12:40 GMT

it worked!

thanks man, you're the best !