- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
marcasgrain8
New Member
08-24-2016
08:55 AM
We are using a basic use case to test two methods to do event correlation in Splunk.
Method 1 Regex:
(eventtype="Logon_Success" OR eventtype="Failed_Logins")|stats list(eventtype) as list by Account_Name|eval list = mvjoin(list, " ")|eval alert = if(match(list,"((Failed_Logins.*){3,}?)(Logon_Success\s?)"),"True","False")|search alert="True"
Method 2:
Step 1: Create Active List similar to ArcSight (list that accumulates events)
(eventtype="Failed_Logins")|eval last_seen = now()| inputlookup append=t mylist| table Account_Name, EventCode, eventtype, _time, last_seen| eval now = now()|eval ttl = 3600 * 24| where (now - last_seen) < ttl |table Account_Name, EventCode, eventtype, _time, last_seen, now, ttl| outputlookup mylist.csv
Step 2: Refer to lookup list to trigger alert
sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=528 OR EventCode=540
|stats count by Account_Name
|eval state="Sucess"
|append [inputlookup mylist.csv|stats count by Account_Name| where count >=3 | eval state="Failed"]
Question: I am having difficulty on this step. How do you trigger an alert with 3 failed logins (this event happens first) followed by a successful login? I find the inputlookup command limiting.
Any suggestions or other methods is also appreciated.
Thank you.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

jpolcari
Communicator
08-24-2016
01:51 PM
Here is a search I use in my environment to do something similar:
index=wineventlog | stats list(Action) as Attempts, count(eval(match(Action,"Failed"))) as Failed, count(eval(match(Action,"Success"))) as Success by Username | where mvcount(Attempts)>=4 AND Success=1 AND Failed>=3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

jpolcari
Communicator
08-24-2016
01:51 PM
Here is a search I use in my environment to do something similar:
index=wineventlog | stats list(Action) as Attempts, count(eval(match(Action,"Failed"))) as Failed, count(eval(match(Action,"Success"))) as Success by Username | where mvcount(Attempts)>=4 AND Success=1 AND Failed>=3
