Splunk Enterprise Security

Splunk Enterprise Security: How to search for Failed Login followed by Successful Login?

dellytaniasetia
Explorer

Hello,

Anyone successfully implement search for 2 failed login followed by a successful login in Windows?

Here is my search but no idea how to specifically filter for failed and successful login event

sourcetype="WinEventLog:Security" | transaction  Account_Name Hostname maxevents=3 maxspan=300s

There are few questions raised but seems nothing works.

0 Karma

Splunker
Communicator

I don't have ES in front of me, but i believe the "Brute Force Access" (words to that effect) correlation-search looks for "try/fail, try/fail, try/succeed" (within 1 day if memory serves, but could be wrong..) no matter if it's Windows or anything else, and it's also built into ES.

ES does it via tags and CIM knowledge provided in the apps/TA's.

Hope it helps.

0 Karma

sundareshr
Legend

Try this (please verify rex for "status" field)

sourcetype="WinEventLog:Security" | rex "(?<Status>Success|Fail") | bin span=5m _time | stats list(Status) as Status by _time Hostname Account_Name | where  mvindex(Status, 0)="Fail" mvindex(Status, 1)="Fail" mvindex(Status, -1)="Success | ...
0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...