Other Usage

Could you help me build when a user manages to block his password 3 times in a 24 hour period generate a trigger?

Freeza
Explorer

hi team,

could you help me build when a user manages to block his password 3 times in a 24 hour period generate a trigger? this for each user.. I'm thinking of something like this.

 

index="main" source="wineventlog:security" EventCode=4740 earliest=-25h 
| rex field=_raw "(?<Account>Account That Was Locked Out:)" 
| search NOT Account_Name="Guest" 
| eval Period=if(_time>relative_time(now(),"-1h"),"New","Old" ) 
| stats count values(Period) as Period by acct_name 
| where mvcount(Period)=1 AND Period="New" AND count >= 3
| sort -count 
| head 10 
| fields -Period

 

but apparently it doesn't work.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Apparently?  Either it works or it does not.  If it doesn't then please say how it fails you.

I can see a few reasons why this search may not work as expected.

1) The rex command sets the Account field to the fixed string "Account That Was Locked Out:" rathe than to an account name.  If you want to extract the account name here, try

| rex field=_raw "Account That Was Locked Out:\s*(?<Account>\w+)" 

2) The query appears to use Account, Account_Name, and acct_name interchangeably.  The account name likely is in only one of those.  If not, additional commands should be used to combine them into one field.

3) where Period="New" won't work with a multivalue field.  Try where mvfind(Period, "New").

4) If the goal is to find 3 failures in the last 24 hours then use earliest=-24h.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Apparently?  Either it works or it does not.  If it doesn't then please say how it fails you.

I can see a few reasons why this search may not work as expected.

1) The rex command sets the Account field to the fixed string "Account That Was Locked Out:" rathe than to an account name.  If you want to extract the account name here, try

| rex field=_raw "Account That Was Locked Out:\s*(?<Account>\w+)" 

2) The query appears to use Account, Account_Name, and acct_name interchangeably.  The account name likely is in only one of those.  If not, additional commands should be used to combine them into one field.

3) where Period="New" won't work with a multivalue field.  Try where mvfind(Period, "New").

4) If the goal is to find 3 failures in the last 24 hours then use earliest=-24h.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...