Alerting

Splunk Alert based on threshold of failed logins within a specified time span

cdabbey
New Member

Splunk Gurus,

I am looking to build search that will identify any accounts that experience 5 failed login attempts within a 1 minute time span. The intent is to run a daily report highlight accounts with large amount of failures within a short period of time (potentially a bruteforce effort) for troubleshooting/customer service.

sourcetype=* result=FAILURE | table username, device, result, reason, src, "_time" | bucket _time span=1m | stats count by username, src | search count > 4
0 Karma
1 Solution

sk314
Builder

Have you tried eventstats? Like so:

sourcetype=* result=FAILURE | bucket _time span=1m | eventstats count by username, src | search count > 4 | table username device result reason src _time count

View solution in original post

0 Karma

sk314
Builder

Have you tried eventstats? Like so:

sourcetype=* result=FAILURE | bucket _time span=1m | eventstats count by username, src | search count > 4 | table username device result reason src _time count
0 Karma

cdabbey
New Member

I can definitely build on this, and really appreciate the help!

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...