Alerting

Why am I not receiving my real time alerts to list attempts of brute force attacks?

Communicator

Hi,

I created an alert to list attempts of brute force attacks.

Something like:

"source="WinEventLog:Security"  EventCode = 4771 |  transaction user, ip  maxpause=10s |  table user, ip, eventcount | WHERE eventcount > 10"

I am running the search in real-time and I can see the results but my alert is not working! The alert is configured in real-time and the trigger's condition is configured per-result, but I still don't receive any e-mail alert.

Best Regards,
Lopes.

0 Karma

Champion

I am running the search in real-time and I can see the results but my alert is not working ///
-are you seeing more than 10 events or less? also,
-can you double check the email notification settings?
---- the alert email is it set for number of results or hosts or ...

0 Karma

Communicator

Hi inventsekar, thanks for your reply.

  • Yes, I am seeing users that contains more than 10 events. Follow an example of my real-time results:

User IP
John.carl 10.10.10.10
richard-grey 8.8.8.8
PAUL 10.11.11.11

My alert is configured to send mail by result, in this case, for example, I have 3 results, but I am receiving just 1 mail with 1 result, for example, PAUL 10.11.11.11.
What about the other users?

Best regards,
Lopes.

0 Karma

Splunk Employee
Splunk Employee

Hi Lopes,
Not sure if you set your mail server settings correctly?
Settings -> server settings -> Email settings

0 Karma