Re: Complex Conditional search based on time

ashutoshab · ‎07-03-2017

I am a newbie in splunk and practising to learn it slowly.

I have a setup where I am forwarding logs of Windows Machine to splunk. I practise using this setup.
As a practice, I have a use case where I want to trigger an alert if there 5 Failed Logon Attempts (on windows machine) in 30 minutes (or any time range) from Same Account OR Same Network Address.

I can write the search part to identify failed Logon Attempts on windows, But failing to write the further search query.

source="WinEventLog:security" sourcetype="wineventlog:security" (EventCode=4625 OR EventCode=4648 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) 
| stats count by host | where count>5

Now I need help regarding the Time Condition and Two subsearches where I can identify Account_Name or Network_Address to be greater than 5

somesoni2 · ‎07-03-2017

Try this

source="WinEventLog:security" sourcetype="wineventlog:security" (EventCode=4625 OR EventCode=4648 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) 
| strcat Account_Name " " Network_Address Alert_Field
 | stats count by Alert_Field | where count>5

Complex Conditional search based on time

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation