Splunk Enterprise Security

Excessive Failed Logins Correlation Search

bbraun
New Member

Hi guys,

Im not sure how to go about this. We currently have the Excessive Failed Logins Correlation Search enabled on our Splunk ES instance. Id like to filter out the accounts with failed authentications that had their passwords recently expire. I tried using map and join to query okta or wineventlog but couldn't figure it out.

Below is the default correlation search query. Any ideas?

| from datamodel:"Authentication"."Failed_Authentication" | stats values(tag) as "tag",dc(user) as "user_count",dc(dest) as "dest_count",count by "app","src","user","host" | where 'count'>=50

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!