Hi All,
I am new to splunk and not an pro in scripting, any help will be appreciated. I am trying to write a query where it will display data for reoccurring failed login attempts for a period of three days where count = or more then 50.
EG: if the user failed to login 60 times today and 10 times for the next two days - the alert should not fire but if the user failed to login 60 times today, 70 tomorrow and 55 on the third day - it should fire with the details that I ask for.
I have written the below query thus far but I am not able to figure the "3 days" part and how it should be written,
sourcetype=wineventlog:security action=failure | search daysago=3 WHERE count>50 | stats count by user,EventCode,Status,Failure_Reason | sort - count
Thank you.
You were fairly close, just had your syntax slightly off, and the order of operations backwards.
.1. Run a stats to count the number of failures by user and day
sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time
.2. Next, look for anything that resulted in more than 50
sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50
.3. Next, assuming you will run this once a day for "today" + 2 days, then you will want to count the number of occurrences where a single user had >50 failures
sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50 | stats count by user
.4. Finally you only want to alert if there are any users with a count count > 2
sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50 | stats count by user | search count > 2
So when you configure your alert make sure to configure it to run for earliest: -3d@d latest: @d, and configure it to run once a day early in the morning.
Hope this helps
You were fairly close, just had your syntax slightly off, and the order of operations backwards.
.1. Run a stats to count the number of failures by user and day
sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time
.2. Next, look for anything that resulted in more than 50
sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50
.3. Next, assuming you will run this once a day for "today" + 2 days, then you will want to count the number of occurrences where a single user had >50 failures
sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50 | stats count by user
.4. Finally you only want to alert if there are any users with a count count > 2
sourcetype=wineventlog:security action=failure | bucket _time span=1d | stats count by user, _time | search count > 50 | stats count by user | search count > 2
So when you configure your alert make sure to configure it to run for earliest: -3d@d latest: @d, and configure it to run once a day early in the morning.
Hope this helps
Thank you very much. It works now:)