Security

What is the best way to see the alert in action?

abreslin
Observer

I followed a tutorial on how to create an alert for a failed root login by typing "failed password for root" The alert is created but I want to see the alert be triggered. I'm working on a VM, what's the best way to see the alert in action?

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @abreslin.

this alert is related to a failed access to a Linux system, so you have only to try to access your Linux target system and try with a wrong account or wrong password.

What's your problem?

Ciao.

Giuseppe

 

0 Karma

abreslin
Observer

Thank you so much for the quick reply! I'm sorry I'm new to all of this. I'm using Splunk in Windows. Is there an alert I can set up to get triggered by failed log ins with windows?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @abreslin,

the EventCode of the failed login in Windows is 4625 so you have to check it:

index=wineventlog EventCode=4625
| stats count BY host Account_name
| where count>10

obviously, you can choose the final threeshold you prefer.

Only one final information: Windows can be useful for testing (I' use it on my laptop) or a Proof of Contest or a very little infrastructure, but I never saw any production system using Windows as Operative System!

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...