Hello guys,
I would like to know how to set an alert that will list attempts of brute force attacks.
At moment I'm created the follow query:
source="WinEventLog:Security" | transaction user, ip maxpause=5s maxevents=500 | where eventcount > 5 | table user, ip, eventcount
5 login attempts in 5 seconds by user.
In my case, how to save this query like an alert? Is it scheduled or real-time?
Is it possible do this alert?
Can anybody help me?
Best regards,
Lopes.
after the search query bar and just above the time-picker, you have a "Save As" down drop menu.
it will give you three options - Report, Dashboard panel, Alert. choose the 3rd one - Alert.
Scheduled Vs Real-time alerts - for alert type comparisions -
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/AlertTypesOverview
this is for creating scheduled alerts -
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Definescheduledalerts
once the alert condition got matched (5 login attempts in 5 seconds by user), you can create an email notification -
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Emailnotification
I didn't understand the rules/conditions for my alert trigger.
On my query I am listing only the results that I want receive form mail, but, How Can I set the alert for this case?
Thanks.
for this requirement, you can choose the trigger condition as "Number of Results is greater than 0"
And about the type: scheduled? Every 5 seconds ? How I do that?
Maybe, you can choose a real time alerting.
regarding alert scheduling, maybe, you can choose "every min" and check for 60 logins. (60logins in 60 seconds)