Solved: How to track if someone is trying to log in every ...

summitsplunk · ‎05-01-2018

My query looks like this:

eventtype=ftnt_fgt_event subtype=system host="*" eventtype=ftnt_fgt_auth_privileged status=failed
|stats count by src_user,src,action

How would I check if this query produces results on an X timeframe like every 10min?

woodcock · ‎05-01-2018

Like this, for rigid buckets:

eventtype=ftnt_fgt_event subtype=system host="*" eventtype=ftnt_fgt_auth_privileged status=failed
| bin span=10m _time
| stats count BY src_user, src, action, _time

OR this for a sliding window:

eventtype=ftnt_fgt_event subtype=system host="*" eventtype=ftnt_fgt_auth_privileged status=failed
| streamstats time_window=600 count BY src_user, src, action

View solution in original post

woodcock · ‎05-01-2018

Like this, for rigid buckets:

eventtype=ftnt_fgt_event subtype=system host="*" eventtype=ftnt_fgt_auth_privileged status=failed
| bin span=10m _time
| stats count BY src_user, src, action, _time

OR this for a sliding window:

eventtype=ftnt_fgt_event subtype=system host="*" eventtype=ftnt_fgt_auth_privileged status=failed
| streamstats time_window=600 count BY src_user, src, action

macadminrohit · ‎05-01-2018

streamstats and eventstats command are the two which give me hard times everytime 🙂

How to track if someone is trying to log in every X minutes or seconds as if programmed to do so?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!