Alerting

How do you set up an alert for a failed password attempt?

sherrysafdar
Explorer

Hello,

I am trying to set up alerts on failed password attempts for any user on my *nix box.

Below is my query and it works fine, but I am having trouble setting up alerts. It just floods my mailbox as soon as the condition matches.

index="main" "Failed password for" OR "authentication failure"
| rex "Failed password for (?.*?) from (?P[^ ]+)port (?\d+)"
| stats count by _time,SSHInvalidUser, InvalidSSHIP, host | eventstats count by SSHInvalidUser

Below is my current trigger condition look like.

Alert type = Real-time

Trigger alert when -> Number of Results
Is Greater than 1
In 1 minutes

Trigger Once

Basically, I would like to get it triggered if there are multiple users or even a single user trying to break-in or possible brute force.

Thanks!

Regards,

0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

Don't set the alert to "real-time". Set it to "Scheduled" then "Cron schedule" and * * * * * which will run it every minute.

All the best

View solution in original post

chrisyounger
SplunkTrust
SplunkTrust

Don't set the alert to "real-time". Set it to "Scheduled" then "Cron schedule" and * * * * * which will run it every minute.

All the best

sherrysafdar
Explorer

For that I think I may need to change my condition in the query, please correct my if I am wrong

index="main" "Failed password for" OR "authentication failure"
| bin _time span=10m
| rex "Failed password for (?.*?) from (?P[^ ]+)port (?\d+)"
| stats count by _time,SSHInvalidUser, InvalidSSHIP, host | where count >= 1

I have done the following alert
*/10 * * * *

Run in every 10 minutes and if counts are equal to or more than 1 in 10 minutes of time span send the alert

Please advise!

thanks,

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

you don't need to use bin command. Your original query will work fine for any time period you want to set. Just be sure to use the "scheduled" and then set the "time-period" in the alert configuration to match the run frequency.

0 Karma

rawanalawshan12
Observer

hi 

i want to know how i do alerts if specific users if they have 5 count failed password

Tags (1)
0 Karma

sherrysafdar
Explorer

I have set the Time Range 15 minutes and Run on Cron Schedule with * * * * * every minute. Do I also have to do something in Trigger Conditions or leave it default?

So basically it checks in 15 minutes time range and run Cron job every minute and make sure if there are any failed login attempts in last 15 minutes? Please correct me if I am wrong.

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

It will run every minute, and search the past 15 minutes. This means you will get 15 emails for every event. So you need to set the time range the same as the run frequency. Set trigger conditions to "Trigger once if results > 0 "

0 Karma

sherrysafdar
Explorer

It worked perfectly!!!!

Thank you sir!

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...