Can the Splunk Machine Learning Toolkit be utilized to help identify a cluster of failed logins on Windows and Unix Servers? I'm trying to find a use case to help demonstrate the capabilities in an IT Security/Analytics context and this is all very new to me.
You can do both without the Splunk Machine Learning Toolkit, though you may find the Toolkit's Detect Numeric Outliers assistant helpful.
Start by identifying the failed logins. This is specific to your environment and there are many examples online:
I'll assume you've gotten to the point where you have the following fields: _time, host, username. If you want to use the Toolkit, you can send that through timechart to aggregate by some span (say, every 5 minutes) and bring that data into the Detect Numeric Outliers assistant:
... | table _time, host, username | timechart span=5m count
Then, simply look for outliers in the number of failed logins. If you want to do this per host or per user, add that field in the split-by field in the assistant and you're done!
As for login attempts in rapid succession, a short span will detect that, or you could use streamstats to compute the time between login attempts and look for outliers there.
Could you please elaborate on what you mean by a 'cluster'? Do you mean sets of systems that had failed logins around the same time? Do you mean sets of login attempts (on any system) that happened in rapid succession? Do you mean failed logins (on any system, at any time) that had similar characteristics? Etc.
Sorry! Actually, the first two scenarios you had mentioned - Both failed logins around the same time and login attempts on any systems that happened in rapid succession.
Thank you for your help!