Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find count of alerts triggered based on time period it occurred?

Satish15_
New Member
‎10-05-2016 08:40 PM

I am looking for the count of alerts based on time period it occurred.
For example : excessive failed logins has occurred 250 times in last 24hrs
or watchlisted event observed has occurred 10 times in last 24hrs.

I see that this feature is available in security posture but since it uses 'es_notable_events' it takes events outside the time boundaries

0 Karma
Reply

DEAD_BEEF
Builder
‎10-12-2016 10:02 AM

I think you're asking how to show alerts that exceed a pre-defined threshold within a fixed time period. If so, can you try this:

index=[index_name]  action=failed | bucket _time span=24h | stats count by src_ip,username | where count >= 250

I think it might be better to narrow your time window because if someone were trying to brute-force a login, it would be a high fail count in a short amount of time unless they are really trying to be covert. 250 events in 24 hours is averaging 10/hour. I'd look for something like >10 in 5 minutes. Unless of course your system locks the account after X failed logins within 15 mins or so, hence the slow roll of 250 over the course of 24 hours. Just at thought!

0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...