Splunk Enterprise Security

Splunk Enterprise Security: How to search for Failed Login followed by Successful Login?

Hello,

Anyone successfully implement search for 2 failed login followed by a successful login in Windows?

Here is my search but no idea how to specifically filter for failed and successful login event

sourcetype="WinEventLog:Security" | transaction  Account_Name Hostname maxevents=3 maxspan=300s

There are few questions raised but seems nothing works.

0 Karma

Communicator

I don't have ES in front of me, but i believe the "Brute Force Access" (words to that effect) correlation-search looks for "try/fail, try/fail, try/succeed" (within 1 day if memory serves, but could be wrong..) no matter if it's Windows or anything else, and it's also built into ES.

ES does it via tags and CIM knowledge provided in the apps/TA's.

Hope it helps.

0 Karma

Legend

Try this (please verify rex for "status" field)

sourcetype="WinEventLog:Security" | rex "(?<Status>Success|Fail") | bin span=5m _time | stats list(Status) as Status by _time Hostname Account_Name | where  mvindex(Status, 0)="Fail" mvindex(Status, 1)="Fail" mvindex(Status, -1)="Success | ...
0 Karma