Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Only alert if event happens X times, but display all events

Branden
Builder
‎08-06-2012 06:51 AM

I'm having a small dilemma with an alert that a user would like created...

Quite simply, we want to be alerted if a username has 3 or more failed login attempts in a 30 minute period. And if that alert triggers, I want to display ALL failed login attempts for that 30 minute period.

It sounded simple, but this turned out to be harder than I thought.

When I configure the alert to trigger if "Number of events > 3", it will trigger if ANY three users fail. I only want it to trigger if the same user fails (in the past 30 minutes).

Is there a way to do this? I'm running v4.3.3.

Thanks!

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

echalex
Builder
‎08-06-2012 07:37 AM

Hi,

Sounds to me, that what you are trying to do is more or less the same as in this example in the documentation.

Basically, you add something like "| stats count by user"
into the search and create a custom alert trigger such as "search count > 3".

HTH!

View solution in original post

Reply
Solved! Jump to solution
Solution

echalex
Builder
‎08-06-2012 07:37 AM

Hi,

Sounds to me, that what you are trying to do is more or less the same as in this example in the documentation.

Basically, you add something like "| stats count by user"
into the search and create a custom alert trigger such as "search count > 3".

HTH!

Reply
Solved! Jump to solution

Branden
Builder
‎08-06-2012 08:18 AM

Nevermind, I think I figured out why that procedure didn't work at first. Turns out it was behaving as expected after all. Thanks again, your link was very helpful!

0 Karma
Reply
Solved! Jump to solution

echalex
Builder
‎08-06-2012 08:05 AM

Answer has been corrected now.

0 Karma
Reply
Solved! Jump to solution

echalex
Builder
‎08-06-2012 08:05 AM

Oops, there was a minor typo in my answer. Perhaps this affected your results?

You need the "search" keyword in the custom condition, so it will restrict the results to only having more than three failures.

0 Karma
Reply
Solved! Jump to solution

Branden
Builder
‎08-06-2012 07:54 AM

Thank you for your response.
Hmm..... the example you pointed me to is exactly what I need. And I followed the example verbatim, but it's not working as expected. It alerts regardless of how many login failures (even if less than three). And the alert report it provides is uninformative, but I can tweak that on my own.

But because the example you linked me to is exactly what I need, I think something else is weird on my end. I may open up a tech support ticket to get this worked out.

Thank you very much for the tip!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...