Alerting

How to add reoccurring days in splunk?

majidlodhi
Explorer

Hi All,

I am new to splunk and not an pro in scripting, any help will be appreciated. I am trying to write a query where it will display data for reoccurring failed login attempts for a period of three days where count = or more then 50.

EG: if the user failed to login 60 times today and 10 times for the next two days - the alert should not fire but if the user failed to login 60 times today, 70 tomorrow and 55 on the third day - it should fire with the details that I ask for.

I have written the below query thus far but I am not able to figure the "3 days" part and how it should be written,
sourcetype=wineventlog:security action=failure | search daysago=3 WHERE count>50 | stats count by user,EventCode,Status,Failure_Reason | sort - count

Thank you.

0 Karma
1 Solution

aholzer
Motivator

You were fairly close, just had your syntax slightly off, and the order of operations backwards.

.1. Run a stats to count the number of failures by user and day

sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time

.2. Next, look for anything that resulted in more than 50

sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50

.3. Next, assuming you will run this once a day for "today" + 2 days, then you will want to count the number of occurrences where a single user had >50 failures

sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50 | stats count by user

.4. Finally you only want to alert if there are any users with a count count > 2

sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50 | stats count by user | search count > 2

So when you configure your alert make sure to configure it to run for earliest: -3d@d latest: @d, and configure it to run once a day early in the morning.

Hope this helps

View solution in original post

0 Karma

aholzer
Motivator

You were fairly close, just had your syntax slightly off, and the order of operations backwards.

.1. Run a stats to count the number of failures by user and day

sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time

.2. Next, look for anything that resulted in more than 50

sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50

.3. Next, assuming you will run this once a day for "today" + 2 days, then you will want to count the number of occurrences where a single user had >50 failures

sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50 | stats count by user

.4. Finally you only want to alert if there are any users with a count count > 2

sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50 | stats count by user | search count > 2

So when you configure your alert make sure to configure it to run for earliest: -3d@d latest: @d, and configure it to run once a day early in the morning.

Hope this helps

View solution in original post

0 Karma

majidlodhi
Explorer

Thank you very much. It works now:)

0 Karma