Alerting

Create alerts for failed Logons

heathramos
Path Finder

Splunk has a dashboard that list Users Failing to Logon from Multiple IPs and Failed Logons by Username.

I am interested in setting up alerts based off of those but I'm unsure how.

I know I can open each up in a search and I could choose save as an alert from the drop down box but I don't know if that is the best approach.

I don't want to rely on running a report manually so need an alert that triggers an email

Tags (1)
0 Karma

heathramos
Path Finder

Failed Logons by Username:

eventtype=msad-failed-user-logons (host="*") src_nt_domain="." | fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type | join src_ip [|inputlookup tHostInfo | table src_ip,src_host,src_nt_domain]

0 Karma

heathramos
Path Finder

Users Failing to Logon from Multiple IPs:

eventtype=msad-failed-user-logons (host="*")|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type |ip-to-host|fix-localhost|stats count by user,src_nt_domain,src_host,src_nt_host|stats count as nips by user,src_nt_domain|where nips>1|sort -nips|rename nips as "# Workstations", user as Username, src_nt_domain as "Domain"

Want: An email generated when count of IPs >1

Question: How to control the time interval? Real time alter when count >1 over the last 2 min?

0 Karma

akocak
Contributor

Hi Heathramos,

I had similar need recently and made it there with following:

    index=_audit "action=login attempt" sourcetype=audittrail  NOT SEARCH  | table  _time user src dest info

if you are looking for failed only, you can either add

|search info=failed

to the end of the search OR:

index=_audit "action=login attempt" sourcetype=audittrail info=failed NOT SEARCH  | table  _time user src dest info
0 Karma

heathramos
Path Finder

just to clarify, I mean failed logons to computer/domain, not failed logons into Splunk

0 Karma

akocak
Contributor

this info should be in WinEvent:Security logs. I don't have that app to check win logins. if you can provide search by clicking that dashboard or application name/dashboard name of the view, I can help further.

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...