Splunk Search

How to find out falied login attempts(EventCode=4625) which are more than 6 times within the 1hr timestamp?

90509
Engager

Hi Team,
I would like to find out user failed login attempts which are greater than 6 times and those 6 failed login attempts happened within 1hr timestamp even if we keep any time range in time range picker.

eg: user=index="......" source type= "........" user= "abcd113" Event Code=4625

so, on the basis my search criteria let me know how to find out failed attempts within one-hour time stamp which are greater than 6 times from last 30 days or 24 hours or 7 days at any time range.

0 Karma
1 Solution

DavidHourani
Super Champion

Hi @90509,

You can do that by simply adding an "hour" field and then hidding it, like this :

user=index="......" source type= "........" user= "abcd113" Event Code=4625 
| eval hourDay=strftime(_time,"%y-%m-%d %H:00") 
|  stats count by user,hourDay
| where count >6
| fields - hourDay

Or use bin command if your comfortable with that :

 user=index="......" source type= "........" user= "abcd113" Event Code=4625 
| bin _time span=1h 
| stats count by user,_time
| where count >6
| fields - _time

Let me know if that helps.

Cheers,
David

View solution in original post

0 Karma

mlulmer
Explorer

90509
Engager

Thanks to All for your support.

0 Karma

VatsalJagani
Champion

Hi @90509, Try this search:

<search to find events, specify index and sorucetype and event code, so...> | bin span=1h _time | stats count by user, _time | where count>6

This query will give user if any has tried failed login more than 6 times in 1 hour of time span.

Hope this helps!!!

0 Karma

DavidHourani
Super Champion

Hi @90509,

You can do that by simply adding an "hour" field and then hidding it, like this :

user=index="......" source type= "........" user= "abcd113" Event Code=4625 
| eval hourDay=strftime(_time,"%y-%m-%d %H:00") 
|  stats count by user,hourDay
| where count >6
| fields - hourDay

Or use bin command if your comfortable with that :

 user=index="......" source type= "........" user= "abcd113" Event Code=4625 
| bin _time span=1h 
| stats count by user,_time
| where count >6
| fields - _time

Let me know if that helps.

Cheers,
David

0 Karma

90509
Engager

Thanks David for your great support !!

0 Karma

90509
Engager

Please do some assistance The above search working absolutely perfect but I need to fetch only high events data NOT low events data how to add that condition.

how could we know whether the high events are not coming into splunk from which date?

index="......" source type= "........" user= "abcd113" Event Code=4625 OR Event Code=4720 OR Event Code=4722 OR Event Code=4738
| bin _time span=1h
| stats count by user, _time
| where count >6
| fields - _time

here I need to fetch high events data and how find high events are not coming from which date into splunk?

0 Karma

90509
Engager

David I need to add fields like Event Code, Timestamp(_time), user, Account_Name, Account_Domain basis on above condition. so , could you please help me how to do it.

0 Karma

DavidHourani
Super Champion

sure thing !
You will have to turn the first query :

 user=index="......" source type= "........" user= "abcd113" Event Code=4625 
 | eval hourDay=strftime(_time,"%y-%m-%d %H:00") 
 |  stats count by user,hourDay
 | where count >6
 | fields - hourDay

Into this :

 user=index="......" source type= "........" user= "abcd113" Event Code=4625 
 | eval hourDay=strftime(_time,"%y-%m-%d %H:00") 
| stats count, values(Account_Name) as Account_Name, values(Account_Domain) as Account_Domain, values(Event Code) as Event Code, last(_time) as timestamp by user, hourDay
 | where count >6
 | fields - hourDay

You can add as many valuesfield as you want and make sure you're keeping user and hourDay behind the by.

0 Karma

DavidHourani
Super Champion

most welcome ! Please up-vote and accept if it worked for you 🙂

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...