Is Splunk is able to detect low and slow password attack using correlation search? E.g. hacker attempt to guess password by keep trying 2-3 times (below account lockout threshold) everyday until he managed to get the correct password without getting the user's account locked.
Not sure if there is an inbuilt functionality but here is what I do.
Setup an search that checks for failed password on daily basis. Check for ids which are constantly appearing on daily basis for x number of times. If the pattern continues then you know if a hacker is trying to break into a particular id.