Splunk Search

Alerting on Failed Login Events

SplunkTrust
SplunkTrust

I would like to be able to generate an alert whenever there is a failed login using the same account from the same IP where the number of events in a 1 minute period is greater than 2. I tried grouping them by using the "bucket" search command but that doesn't give me the desired results. I also looked at the transaction command but that doesn't seem to do what I want either. If I can get the grouping to work the way I want (group all login failures in a 1m period for the same account and client ip)

Here's a sample of the search I did with the "bucket" command (the table command is just there to see the results generated):

eventtype="windows-security-4771" 
| lookup Service_Account_Lookup sAMAccountName as Account_Name OUTPUT sAMAccountName AS User_Account, AdminAccount 
| where AdminAccount="true" 
| bucket _time span=1m 
| stats count by User_Account 
| rename count AS Login_Attempts 
| table _time, User_Account, Login_Attempts

What's the best way to do this?

0 Karma

Splunk Employee
Splunk Employee

It's as simple as:

eventtype="windows-security-4771" 
| lookup Service_Account_Lookup 
         sAMAccountName as Account_Name 
  OUTPUT sAMAccountName AS User_Account
         AdminAccount 
| where AdminAccount="true" 
| timechart span=1m 
    count as Login_Attempts
  by User_Account, IP_address
| where Login_Attempts > 2

Your sample query didn't inclue IP_address, so you could just drop it from the above timechart command.

0 Karma

SplunkTrust
SplunkTrust

Turns out that someone else pointed me to the fact that "transaction" returns two fields duration and eventcount. The eventcount gives me what I want.

0 Karma