Splunk Search

How to find out falied login attempts(EventCode=4625) which are more than 6 times within the 1hr timestamp?

Engager

Hi Team,
I would like to find out user failed login attempts which are greater than 6 times and those 6 failed login attempts happened within 1hr timestamp even if we keep any time range in time range picker.

eg: user=index="......" source type= "........" user= "abcd113" Event Code=4625

so, on the basis my search criteria let me know how to find out failed attempts within one-hour time stamp which are greater than 6 times from last 30 days or 24 hours or 7 days at any time range.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi @90509,

You can do that by simply adding an "hour" field and then hidding it, like this :

user=index="......" source type= "........" user= "abcd113" Event Code=4625 
| eval hourDay=strftime(_time,"%y-%m-%d %H:00") 
|  stats count by user,hourDay
| where count >6
| fields - hourDay

Or use bin command if your comfortable with that :

 user=index="......" source type= "........" user= "abcd113" Event Code=4625 
| bin _time span=1h 
| stats count by user,_time
| where count >6
| fields - _time

Let me know if that helps.

Cheers,
David

View solution in original post

0 Karma

Explorer

Engager

Thanks to All for your support.

0 Karma

Motivator

Hi @90509, Try this search:

<search to find events, specify index and sorucetype and event code, so...> | bin span=1h _time | stats count by user, _time | where count>6

This query will give user if any has tried failed login more than 6 times in 1 hour of time span.

Hope this helps!!!

0 Karma

SplunkTrust
SplunkTrust

Hi @90509,

You can do that by simply adding an "hour" field and then hidding it, like this :

user=index="......" source type= "........" user= "abcd113" Event Code=4625 
| eval hourDay=strftime(_time,"%y-%m-%d %H:00") 
|  stats count by user,hourDay
| where count >6
| fields - hourDay

Or use bin command if your comfortable with that :

 user=index="......" source type= "........" user= "abcd113" Event Code=4625 
| bin _time span=1h 
| stats count by user,_time
| where count >6
| fields - _time

Let me know if that helps.

Cheers,
David

View solution in original post

0 Karma

Engager

Thanks David for your great support !!

0 Karma

Engager

Please do some assistance The above search working absolutely perfect but I need to fetch only high events data NOT low events data how to add that condition.

how could we know whether the high events are not coming into splunk from which date?

index="......" source type= "........" user= "abcd113" Event Code=4625 OR Event Code=4720 OR Event Code=4722 OR Event Code=4738
| bin _time span=1h
| stats count by user, _time
| where count >6
| fields - _time

here I need to fetch high events data and how find high events are not coming from which date into splunk?

0 Karma

Engager

David I need to add fields like Event Code, Timestamp(_time), user, Account_Name, Account_Domain basis on above condition. so , could you please help me how to do it.

0 Karma

SplunkTrust
SplunkTrust

sure thing !
You will have to turn the first query :

 user=index="......" source type= "........" user= "abcd113" Event Code=4625 
 | eval hourDay=strftime(_time,"%y-%m-%d %H:00") 
 |  stats count by user,hourDay
 | where count >6
 | fields - hourDay

Into this :

 user=index="......" source type= "........" user= "abcd113" Event Code=4625 
 | eval hourDay=strftime(_time,"%y-%m-%d %H:00") 
| stats count, values(Account_Name) as Account_Name, values(Account_Domain) as Account_Domain, values(Event Code) as Event Code, last(_time) as timestamp by user, hourDay
 | where count >6
 | fields - hourDay

You can add as many valuesfield as you want and make sure you're keeping user and hourDay behind the by.

0 Karma

SplunkTrust
SplunkTrust

most welcome ! Please up-vote and accept if it worked for you 🙂

0 Karma