I'm fairly new to Splunk and I've been playing around with some of the security correlation rules and needed some guidance on one.
Below is a search that shows me the user, signature, source of the lockout, and how many times that particular user got locked out from that host.
index=windows* source=WinEventLog:Security EventCode=4740 | stats count by user, signature, src_nt_host
If I do a where count >X on this, it will alert me if one user got locked out multiple times, but I want to know if Y unique users get locked out within a time period. The search below does that, but it doesn't have any useful information with it.
index=windows* source=WinEventLog:Security EventCode=4740 | stats count by signature
Is there a way to show the information from the top query but do a count on how many total log events trip? I'm going to turn this into a correlation rule and we want the appropriate alert but when I click on the query, I'd like it to show the relevant information without hopping to another search.
Thank you very much. Overall that did what I wanted it to do. I think the only tweak I'm going to have to perform is that I have a few entries where the user has multiple src_nt_hosts. So the distinct_users count is maybe 100 where the overall events are 150 since admin may have hits from server1, server2, and server3.