Getting Data In

Complex Conditional search based on time

ashutoshab
Communicator

I am a newbie in splunk and practising to learn it slowly.

I have a setup where I am forwarding logs of Windows Machine to splunk. I practise using this setup.
As a practice, I have a use case where I want to trigger an alert if there 5 Failed Logon Attempts (on windows machine) in 30 minutes (or any time range) from Same Account OR Same Network Address.

I can write the search part to identify failed Logon Attempts on windows, But failing to write the further search query.

source="WinEventLog:security" sourcetype="wineventlog:security" (EventCode=4625 OR EventCode=4648 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) 
| stats count by host | where count>5 

Now I need help regarding the Time Condition and Two subsearches where I can identify Account_Name or Network_Address to be greater than 5

0 Karma

somesoni2
Revered Legend

Try this

source="WinEventLog:security" sourcetype="wineventlog:security" (EventCode=4625 OR EventCode=4648 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) 
| strcat Account_Name " " Network_Address Alert_Field
 | stats count by Alert_Field | where count>5 
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!