Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alert - Brute Force Attacks

monteirolopes
Communicator
‎10-06-2016 06:20 AM

Hello guys,

I would like to know how to set an alert that will list attempts of brute force attacks.
At moment I'm created the follow query:

source="WinEventLog:Security" | transaction user, ip maxpause=5s maxevents=500 | where eventcount > 5 | table user, ip, eventcount

5 login attempts in 5 seconds by user.

In my case, how to save this query like an alert? Is it scheduled or real-time?
Is it possible do this alert?
Can anybody help me?

Best regards,
Lopes.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-06-2016 07:42 AM

after the search query bar and just above the time-picker, you have a "Save As" down drop menu.
it will give you three options - Report, Dashboard panel, Alert. choose the 3rd one - Alert.

Scheduled Vs Real-time alerts - for alert type comparisions -
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/AlertTypesOverview

this is for creating scheduled alerts -
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Definescheduledalerts

once the alert condition got matched (5 login attempts in 5 seconds by user), you can create an email notification -
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Emailnotification

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply

monteirolopes
Communicator
‎10-06-2016 09:26 AM

I didn't understand the rules/conditions for my alert trigger.
On my query I am listing only the results that I want receive form mail, but, How Can I set the alert for this case?

Thanks.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-06-2016 09:31 AM

for this requirement, you can choose the trigger condition as "Number of Results is greater than 0"

alt text

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

monteirolopes
Communicator
‎10-06-2016 11:04 AM

And about the type: scheduled? Every 5 seconds ? How I do that?

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-06-2016 11:14 AM

Maybe, you can choose a real time alerting.
regarding alert scheduling, maybe, you can choose "every min" and check for 60 logins. (60logins in 60 seconds)

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

monteirolopes
Communicator
‎10-06-2016 11:41 AM
  • It does not work in real-time , the amount of events is incremental.
  • Alert scheduling (60 login in 60 seconds) doesn't configure brute force attack.
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...