https://community.splunk.com/t5/Splunk-Search/Password-Spray-Search-Alert/m-p/505532#M141277 <P>Hello! I am building an alert to detect potential password spraying (it is looking for 10 or more failed logons within the last 15 minutes, where the username is correct but the password is wrong).</P><P>It works well, however there is one issue. If the same user fails to login a lot then it will trigger the alert. I only want a failure to count if the usernames are different. For example, if one user fails to login 10 times it will NOT alert. If 10 different users fail to login once each then it would alert. Below is my syntax:</P><P>&nbsp;</P><LI-CODE lang="markup">index=*-windows-logs EventCode=4625 signature="User name is correct but the password is wrong" Account_Name!=*$ | stats count by src_ip | where count &gt; 10</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 22 Jun 2020 16:15:36 GMT johann2017 2020-06-22T16:15:36Z https://community.splunk.com/t5/Splunk-Search/Password-Spray-Search-Alert/m-p/505532#M141277 <P>Hello! I am building an alert to detect potential password spraying (it is looking for 10 or more failed logons within the last 15 minutes, where the username is correct but the password is wrong).</P><P>It works well, however there is one issue. If the same user fails to login a lot then it will trigger the alert. I only want a failure to count if the usernames are different. For example, if one user fails to login 10 times it will NOT alert. If 10 different users fail to login once each then it would alert. Below is my syntax:</P><P>&nbsp;</P><LI-CODE lang="markup">index=*-windows-logs EventCode=4625 signature="User name is correct but the password is wrong" Account_Name!=*$ | stats count by src_ip | where count &gt; 10</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 22 Jun 2020 16:15:36 GMT https://community.splunk.com/t5/Splunk-Search/Password-Spray-Search-Alert/m-p/505532#M141277 johann2017 2020-06-22T16:15:36Z https://community.splunk.com/t5/Splunk-Search/Password-Spray-Search-Alert/m-p/505536#M141278 <P>You are counting events by src_ip when what you want is distinct accounts by src_ip<BR /><BR />Replace your "count" with "dc(Account_Name) AS distinct_accounts" and the correct the where to use this new field.</P><P>Something like this:</P><LI-CODE lang="markup">index=*-windows-logs EventCode=4625 signature="User name is correct but the password is wrong" Account_Name!=*$ | stats dc(Account_Name) AS distinct_accounts by src_ip | where distinct_accounts &gt; 10</LI-CODE><P>&nbsp;</P> Mon, 22 Jun 2020 16:35:40 GMT https://community.splunk.com/t5/Splunk-Search/Password-Spray-Search-Alert/m-p/505536#M141278 diogofgm 2020-06-22T16:35:40Z https://community.splunk.com/t5/Splunk-Search/Password-Spray-Search-Alert/m-p/505593#M141297 <P>Thank you <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/90723">@diogofgm</a>&nbsp;this worked!</P> Mon, 22 Jun 2020 19:23:30 GMT https://community.splunk.com/t5/Splunk-Search/Password-Spray-Search-Alert/m-p/505593#M141297 johann2017 2020-06-22T19:23:30Z