Security

Tracking Failed Logins by Usernames, reason for failure, and more

ypop
New Member

We have a simple query which tracks failed login attempts, however, the eventstats function is unable to give me the proper count filter where we need only results where a user has exceeded a specific amount of login attempts:
What our current query looks like:
index=localLogFile loginFail: host=LocalServer | rex field=_raw " ]\s\w{4}:\s(?P/*?):" | eventstats count AS aFieldCount by FailReason | eventstats count(InfoMessage) AS EventCountTotal | table ipAddress UserName FailReason Info Message aFieldCount EventCountTotal

What I'm looking to add to this query
We are looking to simply add another instance of eventstats or stats count that will give us the number of failed attempts when it is less than or greater than a specific number of occurrences, allowing us to later generate a report that will trigger when someone has attempted to log in more times than they should have.

Any direction or help is appreciated

0 Karma

splunker12er
Motivator

try something like this,

makeresults|stats count(_raw) as total_failure_attempts by FailReason| eval occurrence=10|where total_failure_attempts>occurrence | table field_1 field_2 field_3 
0 Karma

ypop
New Member

Thank you,
I ended up combing your logic with my existing query successfully.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...