Splunk has a dashboard that list Users Failing to Logon from Multiple IPs and Failed Logons by Username.
I am interested in setting up alerts based off of those but I'm unsure how.
I know I can open each up in a search and I could choose save as an alert from the drop down box but I don't know if that is the best approach.
I don't want to rely on running a report manually so need an alert that triggers an email
I had similar need recently and made it there with following:
index=_audit "action=login attempt" sourcetype=audittrail NOT SEARCH | table _time user src dest info
if you are looking for failed only, you can either add
to the end of the search OR:
index=_audit "action=login attempt" sourcetype=audittrail info=failed NOT SEARCH | table _time user src dest info
this info should be in WinEvent:Security logs. I don't have that app to check win logins. if you can provide search by clicking that dashboard or application name/dashboard name of the view, I can help further.
Users Failing to Logon from Multiple IPs:
eventtype=msad-failed-user-logons (host="*")|fields time,signature,srcip,srchost,srcnthost,srcntdomain,user,LogonType |
fix-localhost|stats count by user,srcntdomain,srchost,srcnthost|stats count as nips by user,srcntdomain|where nips>1|sort -nips|rename nips as "# Workstations", user as Username, srcnt_domain as "Domain"
Want: An email generated when count of IPs >1
Question: How to control the time interval? Real time alter when count >1 over the last 2 min?
Failed Logons by Username:
eventtype=msad-failed-user-logons (host="*") srcntdomain="." | fields time,signature,srcip,srchost,srcnthost,srcntdomain,user,LogonType | join srcip [|inputlookup tHostInfo | table srcip,srchost,srcnt_domain]