topic Re: How to find out failed login attempts with (Event Code=4625) which will happen more than 6 times with in one hour? in Splunk Search

How to find out failed login attempts with (Event Code=4625) which will happen more than 6 times with in one hour?

90509 — Wed, 30 Sep 2020 01:06:31 GMT

Hi All,

I would like to find out failed login attempts happen more than 6 times with in 1hr time span.So here the main thing is the data come up with Events codes(Event Codes=4638,4722,4720) each and every time when we run a search in search bar.

event code 4625 should be separate from all the other event codes. Because 4625 is the only event code where we look for more than 6 failed attempts. The other three event codes we need to see each time they happen.
could anyone please assist me how to pull the 3 event codes every except event code:4625

Below is my search::

index=".........." AND sourcetype=".........." AND tag="....." AND NOT ((user=null) OR (tag=.............)) AND EventCode=4625 OR (EventCode=4720 OR EventCode=4722 OR EventCode=4738)
| fillnull value="N/A"
| bin _time span=1hr as HourDay
| eval hourDay=strftime(HourDay,"%m-%d-%y %H:%M:%S")
| stats count last(hourDay) as timestamp by user, HourDay, EventCode, Account_Domain, Account_Name, dvc_owner,dvc_bunit,dvc_ip, subject, dvc,
| where count>6
|fields - HourDay
| search NOT
[| inputlookup ........csv
| rename service_accounts as user]

Re: How to find out failed login attempts with (Event Code=4625) which will happen more than 6 times with in one hour?

sandeepmakkena — Wed, 30 Sep 2020 01:06:34 GMT

| multisearch
[ search ndex=".........." AND sourcetype=".........." AND tag="....." AND NOT ((user=null) OR (tag=.............)) AND EventCode=4625
| fillnull value="N/A"
| bin _time span=1hr as HourDay
| eval hourDay=strftime(HourDay,"%m-%d-%y %H:%M:%S")
| stats count last(hourDay) as timestamp by user, HourDay, EventCode, Account_Domain, Account_Name, dvc_owner,dvc_bunit,dvc_ip, subject, dvc,
| where count>6
| fields - HourDay
| search NOT
[| inputlookup ........csv
| rename service_accounts as user]
| eval event=event/2]
[ search
[ search ndex=".........." AND sourcetype=".........." AND tag="....." AND NOT ((user=null) OR (tag=.............)) AND EventCode=4720 OR EventCode=4722 OR EventCode=4738
| fillnull value="N/A"
| bin _time span=1hr as HourDay
| eval hourDay=strftime(HourDay,"%m-%d-%y %H:%M:%S")
| stats count last(hourDay) as timestamp by user, HourDay, EventCode, Account_Domain, Account_Name, dvc_owner,dvc_bunit,dvc_ip, subject, dvc,
| where count>1
| fields - HourDay
| search NOT
[| inputlookup ........csv
| rename service_accounts as user]

This should work.

Re: How to find out failed login attempts with (Event Code=4625) which will happen more than 6 times with in one hour?

sandeepmakkena — Wed, 26 Jun 2019 20:08:59 GMT

Did this work ?

Re: How to find out failed login attempts with (Event Code=4625) which will happen more than 6 times with in one hour?

90509 — Thu, 27 Jun 2019 14:22:35 GMT

I hope the logic is correct but I don't know I am getting error like "Error in 'multisearch' command: Multisearch subsearches may only contain purely streaming operations (subsearch 1 contains a non-streaming command.)"

Re: How to find out failed login attempts with (Event Code=4625) which will happen more than 6 times with in one hour?

90509 — Tue, 02 Jul 2019 10:33:14 GMT

no the second part of the search not working