topic Re: Alert for Failed Login Attempts in Alerting

Alert for Failed Login Attempts

drizzo — Mon, 26 Jun 2017 16:42:38 GMT

I have searched across Splunk Answers, Docs, and the YouTube channel, but I'm still having an issue with setting up a proper alert. I need to setup an Alert so that if failed logins exceeds 4 attempts within 10 minutes, an alert will be triggered. I went into the Search, typed:

index=* sourcetype="WinEventLog:Security" EventCode=4625 | stats count by host, Account_Name, name | where count > 4

The search is then saved as an Alert:

**Title:** <the name>
**Description:** <the description>
**Permissions:** Private
** Alert Type:** Real-time
**Trigger Alert when:** Per-Result
(No Throttling)

The issue is that it pulls results every five seconds. It seems that the system checks the log within my given time frame, notices that there are still logs, so triggers another alert. I then tried switching my search to:

index=* sourcetype="WinEventLog:Security" EventCode=4625 | stats count by host, Account_Name, name

with the following Alert Type:

**Alert Type:** Real-time
**Trigger alert when:** Number of Results **is** greater than 4 *in* 10 minute(s)
**Trigger:** Once
(No Throttle)

However, when I do that, it pulls up nothing. Any help would be appreciated, I've been stuck on this for two days.

Re: Alert for Failed Login Attempts

horsefez — Mon, 26 Jun 2017 16:47:07 GMT

Hi drizzo,

ever tried "sheduled" instead of real-time before?

Do a Cron-Shedule and configure:

  earliest:  -10m@m
  latest:  @m
  cron expression:  */10 * * * *

Re: Alert for Failed Login Attempts

ChrisG — Mon, 26 Jun 2017 16:50:56 GMT

Instead of ... | where count > 4, try ...| search count > 4 Or did you already try that?

Re: Alert for Failed Login Attempts

drizzo — Mon, 26 Jun 2017 17:11:50 GMT

I just tested it out -- didn't work.

Re: Alert for Failed Login Attempts

ChrisG — Mon, 26 Jun 2017 17:18:18 GMT

Then yes, I agree with pyro_wood that a scheduled alert, with throttling, is probably the way to go. Again, just to confirm: you have already read Configure alert trigger conditions and Throttle alerts in the Alerting Manual?

Re: Alert for Failed Login Attempts

drizzo — Mon, 26 Jun 2017 17:26:40 GMT

I've not read the throttle alert ones. I'll take a gander. Thanks

Re: Alert for Failed Login Attempts

drizzo — Mon, 26 Jun 2017 17:28:46 GMT

I just put it in. Still not working, but I'm going to quickly read up on Throttle Alerts to make sure I put in what you suggested correctly and that nothing else is interfering.

Re: Alert for Failed Login Attempts

drizzo — Mon, 26 Jun 2017 19:19:03 GMT

This ended up working after I put in a throttle. Thanks for your help.

Re: Alert for Failed Login Attempts

jcolon68 — Tue, 04 Jun 2019 20:28:56 GMT

What if you only wanted to check for maybe 4 particular accounts and not all?