Security

Tracking Failed Logins by Usernames, reason for failure, and more

ypop
New Member

We have a simple query which tracks failed login attempts, however, the eventstats function is unable to give me the proper count filter where we need only results where a user has exceeded a specific amount of login attempts:
What our current query looks like:
index=localLogFile loginFail: host=LocalServer | rex field=_raw " ]\s\w{4}:\s(?P/*?):" | eventstats count AS aFieldCount by FailReason | eventstats count(InfoMessage) AS EventCountTotal | table ipAddress UserName FailReason Info Message aFieldCount EventCountTotal

What I'm looking to add to this query
We are looking to simply add another instance of eventstats or stats count that will give us the number of failed attempts when it is less than or greater than a specific number of occurrences, allowing us to later generate a report that will trigger when someone has attempted to log in more times than they should have.

Any direction or help is appreciated

0 Karma

splunker12er
Motivator

try something like this,

makeresults|stats count(_raw) as total_failure_attempts by FailReason| eval occurrence=10|where total_failure_attempts>occurrence | table field_1 field_2 field_3 
0 Karma

ypop
New Member

Thank you,
I ended up combing your logic with my existing query successfully.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...