https://community.splunk.com/t5/Getting-Data-In/Successfull-brute-force-loggings/m-p/369454#M92940 <P>Thank you!</P> Tue, 09 May 2017 15:53:05 GMT alemarzu 2017-05-09T15:53:05Z https://community.splunk.com/t5/Getting-Data-In/Successfull-brute-force-loggings/m-p/369451#M92937 <P>I am looking for successfull brute force logins<BR /> basically I am looking for 5 failed logings followed by 1 successfull login<BR /> I found the below search and it seems to be working, but it's just counting the fails and success,<BR /> there is no time sequence<BR /> it isnt looking for the first 5 failed loggings, it counts all the failed and succeefull logings<BR /> and then makes a count,<BR /> how can I add the time awareness (5 failed loggings followed by 1 successfull within 5 or 10 min)?</P> <P>action= failed or success (login) <BR /> user= userid's<BR /> index=* | bucket _time span=30m | stats list(action) as Attempts, count(eval(match(action,"failure"))) as Failed, count(eval(match(action,"success"))) as Success by user | where mvcount(Attempts)&gt;=6 AND Success=1 AND Failed&gt;=5</P> Tue, 09 May 2017 11:52:25 GMT https://community.splunk.com/t5/Getting-Data-In/Successfull-brute-force-loggings/m-p/369451#M92937 ecanmaster 2017-05-09T11:52:25Z https://community.splunk.com/t5/Getting-Data-In/Successfull-brute-force-loggings/m-p/369452#M92938 <P>Hi there @ecanmaster</P> <P>Perhaps something like this might help you.</P> <PRE><CODE>earliest=-11min@min latest=-1min@min your_main_search_here action="success" | stats count, latest(_time) AS lastLogin by user | eval timewindow=lastLogin - 600 | map maxsearches=100 search="your_main_search_here action="failure" earliest=$timewindow$ latest=$lastLogin$ user=$user$" | stats count, latest(_time) AS "Latest Attempt" by user | convert ctime("Latest Attempt") | rename user AS "Compromised Account", count AS "loginAttempts" | where loginAttempts &gt; 4 </CODE></PRE> <P>This should search successful user logins in a 10 min window and if it finds one it goes back in time 10 min to find failed attempts in the last 10 minutes for each user/success login.</P> <P>Could't tested it, hope it helps.</P> <P><STRONG>EDIT:</STRONG> Fixed. Thank you @DalJeanis</P> Tue, 09 May 2017 14:51:46 GMT https://community.splunk.com/t5/Getting-Data-In/Successfull-brute-force-loggings/m-p/369452#M92938 alemarzu 2017-05-09T14:51:46Z https://community.splunk.com/t5/Getting-Data-In/Successfull-brute-force-loggings/m-p/369453#M92939 <P>@alemarzu - looks good with one fix and one improvement...</P> <P>1) <CODE>latest=-11m@m earliest=-1m@m</CODE></P> <P>2) No need to kill the field <CODE>count</CODE>; it gets thrown away at the next command ( <CODE>map</CODE> ) anyway.</P> Tue, 09 May 2017 15:30:11 GMT https://community.splunk.com/t5/Getting-Data-In/Successfull-brute-force-loggings/m-p/369453#M92939 DalJeanis 2017-05-09T15:30:11Z https://community.splunk.com/t5/Getting-Data-In/Successfull-brute-force-loggings/m-p/369454#M92940 <P>Thank you!</P> Tue, 09 May 2017 15:53:05 GMT https://community.splunk.com/t5/Getting-Data-In/Successfull-brute-force-loggings/m-p/369454#M92940 alemarzu 2017-05-09T15:53:05Z https://community.splunk.com/t5/Getting-Data-In/Successfull-brute-force-loggings/m-p/369455#M92941 <P>hmm,so for each successful login we go and execute?<BR /> isn’t more normal to search only when I see a fail, which are not so often as successful logins?<BR /> thanks</P> Sat, 23 Feb 2019 20:09:33 GMT https://community.splunk.com/t5/Getting-Data-In/Successfull-brute-force-loggings/m-p/369455#M92941 printul77700 2019-02-23T20:09:33Z