Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Alert creation for 5 Unsuccessful Login attempt from same source and same destination?

rajuljain_mc
New Member
‎11-05-2017 11:00 PM

Sample log-
Cisco ACS Authentication Failed
Nov 3 08:21:13 REL-DC-MSTCRD-ACS CSCOacs_Failed_Attempts 0001982755 2 0 2017-11-03 08:21:13.484 +05:30 0038659009 5401 NOTICE Failed-Attempt:
Authentication failed, ACSVersion=acs-5.8.1.4-B.462.x86_64, ConfigVersionId=53, Device IP Address=10.150.0.5, Device Port=44041,
DestinationIPAddress=172.20.1.200, DestinationPort=49, UserName=mvparam, Protocol=Tacacs, RequestLatency=141, Type=Authentication, Action=Login,
Privilege-Level=15, Authen-Type=ASCII, Service=Enable, User=rajul, Port=39, Remote-Address=172.20.1.152, UserName=rajul,
AcsSessionID=REL-DC-MSTCRD-ACS/278522990/2009452, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII,
SelectedAccessService=IMC-Access, IdentityGroup=IdentityGroup:All Groups:IMC-L2G, FailureReason=22004 , Step=13013 , Step=15008 , Step=15004 ,
Step=15012 , Step=15041 , Step=15006 , Step=15013 , Step=24210 , Step=24212 , Step=13045 , Step=13015 , Step=13014 , Step=15037 , Step=15041 ,
Step=15006 , Step=15013 , Step=24210 , Step=24212 , Step=22004

Query-index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed"

Stuck after this query, help to write rule please?

0 Karma
Reply

hardikJsheth
Motivator
‎11-06-2017 08:48 AM

In case you want to take time in consideration as well to check for consecutive unsuccessful login attempts, either you can use timechar command or add bin command to the query as follows:

index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed" | bin _time span=5m| stats count by DestinationIPAddress, Remote-Address, UserName | where count > 5
0 Karma
Reply

harsmarvania57
Ultra Champion
‎11-06-2017 06:56 AM

Hi

Can you please try this query ?

index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed" | stats count by DestinationIPAddress, Remote-Address, UserName | where count > 5

EDIT: Or may be below query because I don't know which is your source and destination IPs, you can change your source and destionation IP field in given query.

    index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed" | stats count by DestinationIPAddress, "Device IP Address", UserName | where count > 5

Thanks,
Harshil

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...