Hello,
I am trying to perform a search in which I return the unsuccessful login attempts per user. In the same alert I put severity, where if only failed attempts were made, the severity is high, but if after those failed attempts there was also a successful attempt, the severity is critical.
The problem is that the alert is not filtering me for the last successful event, but I add all the events, regardless of whether it is successful or failed.
Any suggestions to better arm the alert? I copy the query:
Authentication.EventCode=4768 OR Authentication.EventCode=4771 | transaction Authentication.user maxevents=-1 mvlist=true startswith="failed" | eval Fecha=strftime(_time, "%d/%m/%Y %I:%M:%S %p") | stats First(Fecha) values(host) as Destino values(Authentication.src) as Origen count as "CantIntentos" values(Authentication.action) as Descripcion dc(Authentication.action) as test by sourcetype, Authentication.user | where CantIntentos >50 |eval Severidad=case((test<2 ),"4",1=1, "5") | fields - test
Results (Using list for see all events):
sourcetype Authentication.user First(Fecha) Destino Origen CantIntentos Descripcion Severidad
wineventlog AR029887 20/03/2019 01:10:51 PM Arsrv203 ::ffff:10.35.124.45 4 failure success failure success failure success failure success 5
wineventlog Ar031546 20/03/2019 01:09:30 PM ARSRV018 ::ffff:10.70.39.243 1 failure 4
wineventlog ar021387 20/03/2019 01:09:17 PM ARSRV185 ::ffff:10.17.167.44 4 failure success failure success failure success failure success 5
wineventlog ar027735 20/03/2019 01:11:08 PM ARSRV018 ARSRV184 ::ffff:10.100.5.10 ::ffff:172.22.20.222 41 failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure 4
If you were do to a regular search, I would recommend to use a transaction command (staring at the first failure, ending at the latest OR success)
Then exclude the transactions with success, and focus on the others,
see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction
But those commands are not great for a KPI search in ITSI, as they are transforming the data