Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Alert creation for 5 Unsuccessful Login attempt from same source and same destination?

rajuljain_mc
New Member
‎11-05-2017 11:00 PM

Sample log-
Cisco ACS Authentication Failed
Nov 3 08:21:13 REL-DC-MSTCRD-ACS CSCOacs_Failed_Attempts 0001982755 2 0 2017-11-03 08:21:13.484 +05:30 0038659009 5401 NOTICE Failed-Attempt:
Authentication failed, ACSVersion=acs-5.8.1.4-B.462.x86_64, ConfigVersionId=53, Device IP Address=10.150.0.5, Device Port=44041,
DestinationIPAddress=172.20.1.200, DestinationPort=49, UserName=mvparam, Protocol=Tacacs, RequestLatency=141, Type=Authentication, Action=Login,
Privilege-Level=15, Authen-Type=ASCII, Service=Enable, User=rajul, Port=39, Remote-Address=172.20.1.152, UserName=rajul,
AcsSessionID=REL-DC-MSTCRD-ACS/278522990/2009452, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII,
SelectedAccessService=IMC-Access, IdentityGroup=IdentityGroup:All Groups:IMC-L2G, FailureReason=22004 , Step=13013 , Step=15008 , Step=15004 ,
Step=15012 , Step=15041 , Step=15006 , Step=15013 , Step=24210 , Step=24212 , Step=13045 , Step=13015 , Step=13014 , Step=15037 , Step=15041 ,
Step=15006 , Step=15013 , Step=24210 , Step=24212 , Step=22004

Query-index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed"

Stuck after this query, help to write rule please?

0 Karma
Reply

hardikJsheth
Motivator
‎11-06-2017 08:48 AM

In case you want to take time in consideration as well to check for consecutive unsuccessful login attempts, either you can use timechar command or add bin command to the query as follows:

index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed" | bin _time span=5m| stats count by DestinationIPAddress, Remote-Address, UserName | where count > 5
0 Karma
Reply

harsmarvania57
Ultra Champion
‎11-06-2017 06:56 AM

Hi

Can you please try this query ?

index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed" | stats count by DestinationIPAddress, Remote-Address, UserName | where count > 5

EDIT: Or may be below query because I don't know which is your source and destination IPs, you can change your source and destionation IP field in given query.

    index=ecs_legacy source="/var/log/cisco-acs.log" "NOTICE Failed-Attempt: Authentication failed" | stats count by DestinationIPAddress, "Device IP Address", UserName | where count > 5

Thanks,
Harshil

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...