Solved: Re: Create an alert for account login fails at a c...

jcolon68 · ‎06-04-2019

I'd like some ideas on alerting when an Active Directory account has a particular # of login failures within a particular amount of time. The premise is to try and send an alert on an account that is about to get locked out.

kmorris_splunk · ‎06-05-2019

Is this what you are looking for?

sourcetype="WinEventLog:Security" EventCode=4625 earliest=-15m@m 
| eval userfield=mvindex(Account_Name,1) 
| stats count as failedlogins by userfield 
| where failedlogins > 4

I did the userfield extraction because Account_Name is usually a multivalued field. My demo data has a - in there. To change the time window, modify the earliest=-15m@m in the first line. To change the threshold, modify the where clause.

View solution in original post

kmorris_splunk · ‎06-05-2019

Is this what you are looking for?

sourcetype="WinEventLog:Security" EventCode=4625 earliest=-15m@m 
| eval userfield=mvindex(Account_Name,1) 
| stats count as failedlogins by userfield 
| where failedlogins > 4

I did the userfield extraction because Account_Name is usually a multivalued field. My demo data has a - in there. To change the time window, modify the earliest=-15m@m in the first line. To change the threshold, modify the where clause.

jcolon68 · ‎06-05-2019

This is great! Thanks! what if I just wanted to monitor a couple of specific acccounts?

kmorris_splunk · ‎06-05-2019

Then you could filter it in the where clause:

| where failedlogins > 4 AND userfield in ("user1","user2")

Create an alert for account login fails at a certain amount of times within a certain time

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout