Re: Creating Alerts When You Don't Know What to S...

Rayj00 · ‎09-22-2011

I'm a newbe with Splunk. So, if an event never happened before (like failed authentication for instance), Splunk obviously does not have it indexed. How do I set up an alert if a failed authorization happens, say, 10 times in 5 minutes?

Thanks,

Ray

Rayj00 · ‎09-23-2011

I guess my problem is getting the correct information when events haven't happened yet.
So, how do I know what to trigger on when an event has not happened yet?

Thanks,

Ray

Brian_Osburn · ‎09-23-2011

If it's a common application (such as say windows login) you can google for the exception. Or, if it's an homegrown app, ask your developers.

sfleming · ‎09-22-2011

If there's a field in your data that represents auth status (success, etc.), you can set up your search using the != operator. (not equal to)

... myAuthStatusField!=success

Or, if you know what the value WOULD be for a failed login, it's better to be specific and use

... myAuthStatusField=failed (or denied, or whatever the value would potentially be)

Then set your search schedule to run every 5 minutes for a time range of the last 5 minutes. Set your alert conditions to "if number of events is greater than 9".

If you don't have that field defined and haven't extracted a new field before, you can read the full documentation here: http://docs.splunk.com/Documentation/Splunk/4.2.3/User/ExtractNewFields

Creating Alerts When You Don't Know What to Search For??

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup