Splunk IT Service Intelligence

All the failed events and that the last one is successful

aortiz6
New Member

Hello,

I am trying to perform a search in which I return the unsuccessful login attempts per user. In the same alert I put severity, where if only failed attempts were made, the severity is high, but if after those failed attempts there was also a successful attempt, the severity is critical.

The problem is that the alert is not filtering me for the last successful event, but I add all the events, regardless of whether it is successful or failed.

Any suggestions to better arm the alert? I copy the query:

Authentication.EventCode=4768 OR Authentication.EventCode=4771  | transaction Authentication.user  maxevents=-1 mvlist=true startswith="failed" | eval Fecha=strftime(_time, "%d/%m/%Y %I:%M:%S %p") | stats First(Fecha) values(host) as Destino values(Authentication.src) as Origen count as "CantIntentos" values(Authentication.action) as Descripcion dc(Authentication.action) as test  by sourcetype, Authentication.user  | where CantIntentos >50 |eval Severidad=case((test<2 ),"4",1=1, "5") | fields - test

Results (Using list for see all events):

sourcetype  Authentication.user First(Fecha)    Destino Origen  CantIntentos    Descripcion Severidad
wineventlog AR029887    20/03/2019 01:10:51 PM  Arsrv203    ::ffff:10.35.124.45 4   failure success failure success failure success failure success 5
wineventlog Ar031546    20/03/2019 01:09:30 PM  ARSRV018    ::ffff:10.70.39.243 1   failure 4
wineventlog ar021387    20/03/2019 01:09:17 PM  ARSRV185    ::ffff:10.17.167.44 4   failure success failure success failure success failure success 5
wineventlog ar027735    20/03/2019 01:11:08 PM  ARSRV018 ARSRV184   ::ffff:10.100.5.10 ::ffff:172.22.20.222 41  failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure 4
0 Karma

yannK
Splunk Employee
Splunk Employee

If you were do to a regular search, I would recommend to use a transaction command (staring at the first failure, ending at the latest OR success)
Then exclude the transactions with success, and focus on the others,

see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

But those commands are not great for a KPI search in ITSI, as they are transforming the data

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>