topic Create alerts for failed Logons in Alerting

Create alerts for failed Logons

heathramos — Mon, 13 Nov 2017 19:05:48 GMT

Splunk has a dashboard that list Users Failing to Logon from Multiple IPs and Failed Logons by Username.

I am interested in setting up alerts based off of those but I'm unsure how.

I know I can open each up in a search and I could choose save as an alert from the drop down box but I don't know if that is the best approach.

I don't want to rely on running a report manually so need an alert that triggers an email

Re: Create alerts for failed Logons

akocak — Mon, 13 Nov 2017 19:11:07 GMT

Hi Heathramos,

I had similar need recently and made it there with following:

    index=_audit "action=login attempt" sourcetype=audittrail  NOT SEARCH  | table  _time user src dest info

if you are looking for failed only, you can either add

|search info=failed

to the end of the search OR:

index=_audit "action=login attempt" sourcetype=audittrail info=failed NOT SEARCH  | table  _time user src dest info

Re: Create alerts for failed Logons

heathramos — Mon, 13 Nov 2017 19:17:52 GMT

just to clarify, I mean failed logons to computer/domain, not failed logons into Splunk

Re: Create alerts for failed Logons

akocak — Mon, 13 Nov 2017 19:25:22 GMT

this info should be in WinEvent:Security logs. I don't have that app to check win logins. if you can provide search by clicking that dashboard or application name/dashboard name of the view, I can help further.

Re: Create alerts for failed Logons

heathramos — Tue, 29 Sep 2020 16:43:13 GMT

Users Failing to Logon from Multiple IPs:

Want: An email generated when count of IPs >1

Question: How to control the time interval? Real time alter when count >1 over the last 2 min?

Re: Create alerts for failed Logons

heathramos — Tue, 29 Sep 2020 16:43:16 GMT

Failed Logons by Username:

eventtype=msad-failed-user-logons (host="*") src_nt_domain="." | fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type | join src_ip [|inputlookup tHostInfo | table src_ip,src_host,src_nt_domain]