Splunk Search

Creating a SPL using tstats for Multiple Failed Logins Followed by Success?

randqm
Loves-to-Learn Everything

Hello Splunk Community,

I'm currently working on creating a search using the tstats command to identify user behavior related to multiple failed login attempts followed by a successful login. I want to use tstats for this due to its efficiency with high volumes of data, compared to the transaction command.

In my case, I want to be able to detect an event sequence where a user has had, let's say, 10 or more failed login attempts, followed by a successful login attempt, within a specified time window (for example, within an hour).

I understand that tstats doesn't provide the same level of detail as transaction for creating sequences of events. However, I'm looking for suggestions on how to use tstats, combined with other SPL commands, to achieve a similar result.

Here's an example of the type of data I'm dealing with:

_time user status

1622890560 user1 failure
1622890620 user1 failure
1622890680 user1 success

In this example, the status field contains "success" or "failure", and the user field contains the user ID.

Any guidance or suggestions would be greatly appreciated.

Thanks in advance for your help!

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @randqm ,

you can use tstats only on a DataModel or on index time fields, so probably user field isn't indexed.

If you haven't a DM, you should use the stats command that much faster than transaction, if you're speaking of windows logs, you could try something like this:

index=wineventlog (EventCode=4624 OR EventCode=4625)
| stats 
   count(eval(EventCode=4624)) AS success_count 
   count(eval(EventCode=4625)) AS failed_count
   by host user
| where success_count>0 AND failed_count>10

if you have different data sources, adapt the search using the success and failed conditions of your data sources.

Ciao.

Giuseppe

0 Karma

sabkha
Loves-to-Learn

but this won't show sequence, how can we have a search that shows successful login after failed logins ( in sequence)

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...