Can the Splunk Machine Learning Toolkit be utilized to help identify a cluster of failed logins on Windows and Unix Servers? I'm trying to find a use case to help demonstrate the capabilities in an IT Security/Analytics context and this is all very new to me.
I'll assume you've gotten to the point where you have the following fields: _time, host, username. If you want to use the Toolkit, you can send that through timechart to aggregate by some span (say, every 5 minutes) and bring that data into the Detect Numeric Outliers assistant:
Could you please elaborate on what you mean by a 'cluster'? Do you mean sets of systems that had failed logins around the same time? Do you mean sets of login attempts (on any system) that happened in rapid succession? Do you mean failed logins (on any system, at any time) that had similar characteristics? Etc.