Alerting

Create alerts for failed Logons

heathramos
Path Finder

Splunk has a dashboard that list Users Failing to Logon from Multiple IPs and Failed Logons by Username.

I am interested in setting up alerts based off of those but I'm unsure how.

I know I can open each up in a search and I could choose save as an alert from the drop down box but I don't know if that is the best approach.

I don't want to rely on running a report manually so need an alert that triggers an email

Tags (1)
0 Karma

heathramos
Path Finder

Failed Logons by Username:

eventtype=msad-failed-user-logons (host="*") src_nt_domain="." | fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type | join src_ip [|inputlookup tHostInfo | table src_ip,src_host,src_nt_domain]

0 Karma

heathramos
Path Finder

Users Failing to Logon from Multiple IPs:

eventtype=msad-failed-user-logons (host="*")|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type |ip-to-host|fix-localhost|stats count by user,src_nt_domain,src_host,src_nt_host|stats count as nips by user,src_nt_domain|where nips>1|sort -nips|rename nips as "# Workstations", user as Username, src_nt_domain as "Domain"

Want: An email generated when count of IPs >1

Question: How to control the time interval? Real time alter when count >1 over the last 2 min?

0 Karma

akocak
Contributor

Hi Heathramos,

I had similar need recently and made it there with following:

    index=_audit "action=login attempt" sourcetype=audittrail  NOT SEARCH  | table  _time user src dest info

if you are looking for failed only, you can either add

|search info=failed

to the end of the search OR:

index=_audit "action=login attempt" sourcetype=audittrail info=failed NOT SEARCH  | table  _time user src dest info
0 Karma

heathramos
Path Finder

just to clarify, I mean failed logons to computer/domain, not failed logons into Splunk

0 Karma

akocak
Contributor

this info should be in WinEvent:Security logs. I don't have that app to check win logins. if you can provide search by clicking that dashboard or application name/dashboard name of the view, I can help further.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...