Solved: Splunk Alert based on threshold of failed logins w...

cdabbey · ‎07-10-2017

Splunk Gurus,

I am looking to build search that will identify any accounts that experience 5 failed login attempts within a 1 minute time span. The intent is to run a daily report highlight accounts with large amount of failures within a short period of time (potentially a bruteforce effort) for troubleshooting/customer service.

sourcetype=* result=FAILURE | table username, device, result, reason, src, "_time" | bucket _time span=1m | stats count by username, src | search count > 4

sk314 · ‎07-10-2017

Have you tried eventstats? Like so:

sourcetype=* result=FAILURE | bucket _time span=1m | eventstats count by username, src | search count > 4 | table username device result reason src _time count

View solution in original post

sk314 · ‎07-10-2017

Have you tried eventstats? Like so:

sourcetype=* result=FAILURE | bucket _time span=1m | eventstats count by username, src | search count > 4 | table username device result reason src _time count

cdabbey · ‎07-12-2017

I can definitely build on this, and really appreciate the help!

Splunk Alert based on threshold of failed logins within a specified time span

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes