Splunk Search

How to do the query for jumpcloud - bruteforce from svchost?

Izz-
New Member

index=* success="false" process_name="C:\\Windows\\System32\\svchost.exe"
| stats count as failedAttempts by user
| sort -failedAttempts

index=* success="false" process_name="C:\\Windows\\System32\\svchost.exe"
| timechart count by user
| sort by _time

I tried do both query but I'm stuck...Need any guidance, thank you 🙂

Labels (1)
0 Karma

woodcock
Esteemed Legend

Your fields are not correct.  You did not show us sample event data.  You did not tell us what "thing' generated the data.  You did not tell us what sourcetype it is.  You did not tell us what source it is.  You did not tell us what ModInput you are using.  You did not tell us what TA you are using.

0 Karma
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...