Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Multi destination brute force attempt rule
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multi destination brute force attempt rule
Hi all,
I am trying to create a rule that alerts when one source IP/user tries to login in to several (more than one) different destinations/hosts but I'm struggling a bit with the syntax. I was wondering if anyone could help, this is what I've got so far:
| from datamodel:"Authentication"."Authentication"
| stats values(tag) as tag,values(app) as app,count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success, by src, user
| where failure>10
| streamstats sum(failure) as total_fails, values(user) as user, values(success) as success, values(failure) as failure by src
| stats list(failure) as fails, list(success) as success, list(user) as user, dc(user) as user_count by src, total_fails
| where user_count > 5
Any help is appreciated, thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
| from datamodel:"Authentication"."Authentication"
| stats values(tag) AS tag values(app) AS app count(eval('action'=="failure")) AS failure count(eval('action'=="success")) AS success BY src user
| multireport
[ eventstats sum(failure) AS src_fails sum(success) AS src_successes list(user) AS users dc(user) AS user_count BY src ]
[ eventstats sum(failure) AS user_fails sum(success) AS user_successes list(src) AS sources dc(src) AS src_count BY user ]
| where user_count > 5 OR src_count > 5
This keeps the raw events to examine but you can change the eventstats to stats to just keep the summary.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer, I gave it a go and it didn't do quite what I need it to do (definitely done better than my search though, I didn't even know multireport was a thing!)
My goal is to alert when a src has at least 3 failed login attempts to 3 different destinations. As if someone was on the network with a few passwords trying different machine after machine till they get in.
It's frying my brain.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
| from datamodel:"Authentication"."Authentication"
| stats values(tag) AS tag values(app) AS app count(eval('action'=="failure")) AS failureCount count(eval('action'=="success")) AS successCount BY src user
| stats sum(failureCount) AS failureCount values(dst) AS destinations dc(dst) AS dstCount
| where failureCount>=3 AND dstCount>=3
I took you literally with destinations but maybe you meant users; if so s/dst/user/g
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
