How to stop sending the same alert for failed logon attempts by the same user?


I've setup an alert on Splunk to send an Email when a user logs 3 failed logon attempts in 15mins.

host=MyDC AND ("EventCode=4625" OR "EventCode=4740") | stats count by user | search count > 3

Problem is most of the time these events get logged because of because of Mobile phones attempting to connect using the wrong password and users do not get locked out. So they continue to log failed logon events and continue to send out alerts.

Question: How do I stop it from alerting on the same user?

Tags (2)
0 Karma
1 Solution

Path Finder

If you look at the same page for the more latest version (that @kml_uvce gave above), you will see that the "Set up throttling for a per-result alert" section is missing along with a few other sections that were deleted on May 9, 2014, but wasn't included anywhere else. We shouldn't have to point folks to earlier versions of documenation for current features.

Here's the top part of the section, you will see how to use the feature to throttle based on a value or multiple values returned. In my case, I want to throttle based on username & time of login.

Set up throttling for a per-result alert

On the alert actions page for a per-result alert, you can define its throttling rules. You use throttling to reduce the frequency at which an alert triggers. For example, if your alert is being triggered by very similar events approximately 10 times per minute, you can set up throttling rules that cut that frequency down to a much more manageable rate. Throttling rules are especially important for per-result alerts, because they are based on real-time searches and get triggered each time they find a matching result.

Splunk's alert throttling rules enable you to throttle results that share the same field value for a given number of seconds, minutes, or hours. For example, say you have a search that returns results with username=cmonster and username=kfrog every 2-3 minutes or so. You don't want to get these alerts every few minutes; you'd rather not see alerts for any one username value more than once per hour. So here's what you do when you define an alert for this search:

  1. Click the checkbox next to Throttling.

  2. In the Suppress results with field value field, enter username.

  3. In the Suppress actions for listbox, select minute(s).

  4. In the adjacent field, type in 60. This sets the throttling interval to 60 minutes.

Read the link above for the rest of the story...

Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...