Alerting

Create alerts for failed Logons

heathramos
Path Finder

Splunk has a dashboard that list Users Failing to Logon from Multiple IPs and Failed Logons by Username.

I am interested in setting up alerts based off of those but I'm unsure how.

I know I can open each up in a search and I could choose save as an alert from the drop down box but I don't know if that is the best approach.

I don't want to rely on running a report manually so need an alert that triggers an email

Tags (1)
0 Karma

heathramos
Path Finder

Failed Logons by Username:

eventtype=msad-failed-user-logons (host="*") src_nt_domain="." | fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type | join src_ip [|inputlookup tHostInfo | table src_ip,src_host,src_nt_domain]

0 Karma

heathramos
Path Finder

Users Failing to Logon from Multiple IPs:

eventtype=msad-failed-user-logons (host="*")|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type |ip-to-host|fix-localhost|stats count by user,src_nt_domain,src_host,src_nt_host|stats count as nips by user,src_nt_domain|where nips>1|sort -nips|rename nips as "# Workstations", user as Username, src_nt_domain as "Domain"

Want: An email generated when count of IPs >1

Question: How to control the time interval? Real time alter when count >1 over the last 2 min?

0 Karma

akocak
Contributor

Hi Heathramos,

I had similar need recently and made it there with following:

    index=_audit "action=login attempt" sourcetype=audittrail  NOT SEARCH  | table  _time user src dest info

if you are looking for failed only, you can either add

|search info=failed

to the end of the search OR:

index=_audit "action=login attempt" sourcetype=audittrail info=failed NOT SEARCH  | table  _time user src dest info
0 Karma

heathramos
Path Finder

just to clarify, I mean failed logons to computer/domain, not failed logons into Splunk

0 Karma

akocak
Contributor

this info should be in WinEvent:Security logs. I don't have that app to check win logins. if you can provide search by clicking that dashboard or application name/dashboard name of the view, I can help further.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...