https://community.splunk.com/t5/Alerting/Validate-success-versus-failed-logins/m-p/327377#M10841 <P>I was asked if we can run a report / create an alert to act on the following:</P> <P>Accounts that have had failed logins, but never a successful login, within a defined time window. The goal is to determine is an account has ever been used successfully, and if it has not, then it can be sent to the access management team to review.</P> <P>In my data, I have the default _time but also have a time field from the source of "LoginAttemptDateTime". For login status, I have a field called "LoginStatus", and of course user field of "User".</P> <P>Looking at some of the Brute force posts offered ideas, but nothing that gave me exactly what I was asked for. Hoping someone has another idea.</P> <P>Thanks in advance</P> Wed, 11 Apr 2018 15:08:24 GMT bworrellZP 2018-04-11T15:08:24Z https://community.splunk.com/t5/Alerting/Validate-success-versus-failed-logins/m-p/327377#M10841 <P>I was asked if we can run a report / create an alert to act on the following:</P> <P>Accounts that have had failed logins, but never a successful login, within a defined time window. The goal is to determine is an account has ever been used successfully, and if it has not, then it can be sent to the access management team to review.</P> <P>In my data, I have the default _time but also have a time field from the source of "LoginAttemptDateTime". For login status, I have a field called "LoginStatus", and of course user field of "User".</P> <P>Looking at some of the Brute force posts offered ideas, but nothing that gave me exactly what I was asked for. Hoping someone has another idea.</P> <P>Thanks in advance</P> Wed, 11 Apr 2018 15:08:24 GMT https://community.splunk.com/t5/Alerting/Validate-success-versus-failed-logins/m-p/327377#M10841 bworrellZP 2018-04-11T15:08:24Z https://community.splunk.com/t5/Alerting/Validate-success-versus-failed-logins/m-p/327378#M10842 <P>I would run a distinct count on LoginStatus per user and retrieve the LoginStatus values then keep the one with distinct count equal to one (only Successful or Failed logins) and values set to "Failed":</P> <PRE><CODE>index=yourindex sourcetype=yoursourcetype | stats dc(LoginStatus) as dc, values(LoginStatus) as LoginStatus by User | search dc=1 AND LoginStatus="Failed" </CODE></PRE> Wed, 11 Apr 2018 15:26:34 GMT https://community.splunk.com/t5/Alerting/Validate-success-versus-failed-logins/m-p/327378#M10842 damien_chillet 2018-04-11T15:26:34Z https://community.splunk.com/t5/Alerting/Validate-success-versus-failed-logins/m-p/327379#M10843 <P>Okay, this is good, they (management) liked it. They had two questions. Can we add the amount of times the login was tried, and can we also add the ones that did login successfully, and show the failed counts for those. </P> <P>I am going to try and mess with this some, as the distinct count option was not one I had thought of.</P> Thu, 12 Apr 2018 11:25:55 GMT https://community.splunk.com/t5/Alerting/Validate-success-versus-failed-logins/m-p/327379#M10843 bworrellZP 2018-04-12T11:25:55Z https://community.splunk.com/t5/Alerting/Validate-success-versus-failed-logins/m-p/327380#M10844 <P>I would try something like:</P> <PRE><CODE> index=yourindex sourcetype=yoursourcetype | stats count(eval(LoginStatus="succeeded")) as succeeded_logins, count(eval(LoginStatus="failed")) as failed_logins, count(LoginAttemptDateTime) AS total_attempts BY User </CODE></PRE> <P>With this you can set filters like:</P> <OL> <LI> | search succeeded_logins=0 AND failed_logins&gt;0</LI> </OL> <P>2.<BR /> | search succeded_logins&gt;0<BR /> | stats count avg(total_attempts) AS avg_attempts</P> Tue, 29 Sep 2020 18:59:19 GMT https://community.splunk.com/t5/Alerting/Validate-success-versus-failed-logins/m-p/327380#M10844 HeinzWaescher 2020-09-29T18:59:19Z https://community.splunk.com/t5/Alerting/Validate-success-versus-failed-logins/m-p/327381#M10845 <P>Excellent, your suggestion was able to get me where I needed you go. Thank you</P> Fri, 13 Apr 2018 10:01:58 GMT https://community.splunk.com/t5/Alerting/Validate-success-versus-failed-logins/m-p/327381#M10845 bworrellZP 2018-04-13T10:01:58Z