Feedback
Got feedback? We want it! Submit your comments and suggestions for our community here.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I need to create a rule to get alerts

asakha
Observer
‎04-17-2024 12:27 PM
  1. Alert when end-users has logged onto the VPN entry point more than 5 times in a day.
  2. A fail-to-ban feature of IP address if their login fails more than 3times in 1hr.
  3. A weekly report of the end-users IP address logging attempting to log into the VPN entry point.
0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎04-17-2024 07:33 PM

@asakhaYou have to adjust your correlation search as per your fields.This is just a reference.

Alert when end-users has logged onto the VPN entry point more than 5 times in a day.

index=<indexname> sourcetype=<sourcetypename> status=success | stats count by user, _time | bin _time as day | where count > 5 | table user, day, count

A fail-to-ban feature of IP address if their login fails more than 3times in 1hr.

index=<indexname> sourcetype=<sourcetypename> action=failure
| stats count as failed_login_count by src_ip, _time span=1h
| where failed_login_count > 3
| table src_ip, _time, failed_login_count
| eval ban_message="IP address " . src_ip . " exceeded failed login attempts (" . failed_login_count . ")."

Weekly Report of End-Users’ IP Addresses Attempting VPN Logins

index=vpn_logs sourcetype="your_vpn_sourcetype"
| stats count as login_count by user, src_ip, _time span=1w
| table user, src_ip, _time, login_count

 

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...