I made an alert query that particularly looks for a windows failed login by users using stats. It works.
Whenever there is an event greater than 0, it’ll show case it and display it. It works.
Now here comes the problem:
The user who is constantly failing over a period of time also causes mass amount of alert notification triggers. Let’s say it’s every 10 minutes for the alert interval. Every 10 minutes we’ll be notified for the same user failing.
There is this option in splunk, that I am aware of:
This option works per say, however, if now a different user account were to have a +1 count, it will not be alerted because the alert won’t trigger until the next 20 minutes.
So here comes the question:
How can I make alert triggers intelligent enough to distinguish each user account as unique but if the user account was last seen then don’t trigger that same account for X amount of hours?
Hopefully I made sense, if not I’ll try to elaborate the problem further:
Account1 failed 5 logins at 1:00 triggered
Account2 failed 10 logins at 1:10 no trigger because of “after triggering the alert, don’t trigger it again for 20 minutes…”
Account1 failed 5 logins at 1:20 triggered