Solved: How do you set up an alert for a failed password a...

sherrysafdar · ‎03-01-2019

Hello,

I am trying to set up alerts on failed password attempts for any user on my *nix box.

Below is my query and it works fine, but I am having trouble setting up alerts. It just floods my mailbox as soon as the condition matches.

index="main" "Failed password for" OR "authentication failure"
| rex "Failed password for (?.*?) from (?P[^ ]+)port (?\d+)"
| stats count by _time,SSHInvalidUser, InvalidSSHIP, host | eventstats count by SSHInvalidUser

Below is my current trigger condition look like.

Alert type = Real-time

Trigger alert when -> Number of Results
Is Greater than 1
In 1 minutes

Trigger Once

Basically, I would like to get it triggered if there are multiple users or even a single user trying to break-in or possible brute force.

Thanks!

Regards,

chrisyounger · ‎03-01-2019

Don't set the alert to "real-time". Set it to "Scheduled" then "Cron schedule" and * * * * * which will run it every minute.

All the best

View solution in original post

chrisyounger · ‎03-01-2019

Don't set the alert to "real-time". Set it to "Scheduled" then "Cron schedule" and * * * * * which will run it every minute.

All the best

sherrysafdar · ‎03-01-2019

For that I think I may need to change my condition in the query, please correct my if I am wrong

index="main" "Failed password for" OR "authentication failure"
| bin _time span=10m
| rex "Failed password for (?.*?) from (?P[^ ]+)port (?\d+)"
| stats count by _time,SSHInvalidUser, InvalidSSHIP, host | where count >= 1

I have done the following alert
*/10 * * * *

Run in every 10 minutes and if counts are equal to or more than 1 in 10 minutes of time span send the alert

Please advise!

thanks,

chrisyounger · ‎03-01-2019

you don't need to use bin command. Your original query will work fine for any time period you want to set. Just be sure to use the "scheduled" and then set the "time-period" in the alert configuration to match the run frequency.

rawanalawshan12 · ‎02-14-2021

hi

i want to know how i do alerts if specific users if they have 5 count failed password

sherrysafdar · ‎03-01-2019

I have set the Time Range 15 minutes and Run on Cron Schedule with * * * * * every minute. Do I also have to do something in Trigger Conditions or leave it default?

So basically it checks in 15 minutes time range and run Cron job every minute and make sure if there are any failed login attempts in last 15 minutes? Please correct me if I am wrong.

chrisyounger · ‎03-01-2019

It will run every minute, and search the past 15 minutes. This means you will get 15 emails for every event. So you need to set the time range the same as the run frequency. Set trigger conditions to "Trigger once if results > 0 "

sherrysafdar · ‎03-01-2019

It worked perfectly!!!!

Thank you sir!

How do you set up an alert for a failed password attempt?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?