Archive
Highlighted

Create alerts for failed Logons

Path Finder

Splunk has a dashboard that list Users Failing to Logon from Multiple IPs and Failed Logons by Username.

I am interested in setting up alerts based off of those but I'm unsure how.

I know I can open each up in a search and I could choose save as an alert from the drop down box but I don't know if that is the best approach.

I don't want to rely on running a report manually so need an alert that triggers an email

Tags (1)
0 Karma
Highlighted

Re: Create alerts for failed Logons

Contributor

Hi Heathramos,

I had similar need recently and made it there with following:

    index=_audit "action=login attempt" sourcetype=audittrail  NOT SEARCH  | table  _time user src dest info

if you are looking for failed only, you can either add

|search info=failed

to the end of the search OR:

index=_audit "action=login attempt" sourcetype=audittrail info=failed NOT SEARCH  | table  _time user src dest info
0 Karma
Highlighted

Re: Create alerts for failed Logons

Path Finder

just to clarify, I mean failed logons to computer/domain, not failed logons into Splunk

0 Karma
Highlighted

Re: Create alerts for failed Logons

Contributor

this info should be in WinEvent:Security logs. I don't have that app to check win logins. if you can provide search by clicking that dashboard or application name/dashboard name of the view, I can help further.

0 Karma
Highlighted

Re: Create alerts for failed Logons

Path Finder

Users Failing to Logon from Multiple IPs:

eventtype=msad-failed-user-logons (host="*")|fields time,signature,srcip,srchost,srcnthost,srcntdomain,user,LogonType |ip-to-host|fix-localhost|stats count by user,srcntdomain,srchost,srcnthost|stats count as nips by user,srcntdomain|where nips>1|sort -nips|rename nips as "# Workstations", user as Username, srcnt_domain as "Domain"

Want: An email generated when count of IPs >1

Question: How to control the time interval? Real time alter when count >1 over the last 2 min?

0 Karma
Highlighted

Re: Create alerts for failed Logons

Path Finder

Failed Logons by Username:

eventtype=msad-failed-user-logons (host="*") srcntdomain="." | fields time,signature,srcip,srchost,srcnthost,srcntdomain,user,LogonType | join srcip [|inputlookup tHostInfo | table srcip,srchost,srcnt_domain]

0 Karma