Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create an alert with two condition to meet by sequence before the alert can trigger?

syazwani
Path Finder
‎02-27-2023 09:58 PM

Hi,

I want to create an alert with two condition to meet by sequence before the alert can trigger. We are using eventID for each condition.

First condition: eventID 4625 count more than 10 by source ip

Second condition: eventID 4624 count more than 1 by source ip

I want the query to meet the first condition, followed by second condition and populate a result. Please assist. Thank you.

Labels (6)
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-27-2023 11:54 PM

Hi @syazwani,

you are speaking of a Brute force followed by a successful login.

You can find a sample for your use case in the Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435).

But anyway, you could use something lie this:

index=wineventlog EventCode IN (4624,4625)
| stats 
   count(eval(EventCode="4625")) AS failed 
   count(eval(EventCode="4624")) AS success 
   BY src_ip
| where failed>10 AND success>0

Ciao.

Giuseppe

0 Karma
Reply

Akmal57
Path Finder
‎02-28-2023 05:43 PM

Hi gcusello, 

i also facing same issue, i have tried your query. Its correct but it also will take result success first then fail because the sequence is not there.

Can you suggest other? 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-28-2023 11:57 PM

Hi @Akmal57,

it isn't a good idea to add a question to another even if with the same topic, because is this way you'll have less attention.

Anyway, it's strange to hva before the successful and then the failed login, usually this doesn't happen.

Anyway, you could use transaction, even if I don't like this command because it's very slow, anyway you could use something like this:

index=wineventlog EventCode IN (4624,4625)
| transaction src_ip startswith="EventCode=4625" endswith="EventCode=4624" 
| where evencount>11

check the format of the starting and end conditions: if you have or not spaces in the condition.

Ciao.

Giuseppe

Reply

Akmal57
Path Finder
‎03-02-2023 02:05 AM

Noted on that,

i have tried the query, its work but seems to be very slow and took too much time to produce the result. is there any other way to get the result faster?

Thank you for your assist on the query.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-02-2023 02:55 AM

Hi @Akmal57,

I usually avoid to use transaction because it's so slow, the only use case when I use transaction is when i have to use ther startswith and endswith conditions or a duration.

This means that this is the only solution I know.

Check if my first solution could solve your need becsuse it isn't usual that the failed logins follow a successful login: the normal case is the opposite.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

What’s New in Splunk Enterprise 9.4: Tools for Digital ResilienceTune in to What’s New in Splunk Enterprise ...

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...