Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Total Account lockouts > 2 within 30mins

siddh01r
New Member
‎09-12-2019 09:40 PM

Hi There,

I am trying to find where total account lockouts that are greater than 2 within the time frame of 30 mins.
This is to find out potential malicious activity where someone is trying to possibility crack a password for an account.
our lockout threshold is 15 mins and it gets unlocked. This way I can see if someone possibly has tried to log into an account more than 2 times and locked an account in 30 mins.

Here is my query which gives me total results >2, but i am not sure how to specify the timeframe of 30 mins in the query.
Any help would be appreciated.

description="Account Lockouts" EventCode=4740 user="*" host=primarydc
| stats count as total by user, host
| where total > 2

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-13-2019 04:17 AM

Hi siddh01r,
if you need to create an alert, you can use your search putting as time period:

earliest=-30m latest=now

and schedule this alert every 30 minutes.

if you want to create a panel, you could use timechart command:

description="Account Lockouts" EventCode=4740 user="*" host=primarydc
| eval col=user." ".host
| timechart span=30m count as total by col
| where total > 2

P.S.: use always index in your searches, it's faster.

Bye.
Giuseppe

0 Karma
Reply

maciep
Champion
‎09-16-2019 03:59 AM

you may want to run this more often, maybe every 5 minutes and find a way to deal with dups. Or run it over a longer period and use delta to find the time between alerts. If you run it every 30, you could miss failed attempts that cross timespans.

For example, if it runs on the 0 &30 minute mark and attempts fail on the 57 and 02 minute marks. The first run at the 0 min would only see the attempt at 57 and the run at the 30 mark would only see the attempt at 2nd minute. And so even though the attempts are 5 minutes apart, your alert would miss them.

0 Karma
Reply

siddh01r
New Member
‎09-15-2019 03:26 PM

Thank you so much Guiseppe. Great help.
Question - what is the below used for, can you please give me some context?

| eval col=user." ".host

also,
When I use that query, I see that there are events but I get no statistical table with results i.e "0 statistics".

Cheers
Sid

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-16-2019 12:18 AM

About the first question, you have to create a timechart with two parameterts, user and host, but timechart can take only one parameter, in thjis way you can use two parameters in timechart.

About the second question, if you use | where total>2, you add a filter for your Alert: in this way, if you have results, alert is triggered otherwise not.
If instaed you want to use this search in a panel, you can remove the filter and see all the results.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...