The question is pretty straightforward. I would like to alert if 3 failed logins followed by 1 successful login from one user is observed.
If this condition occurs. I would like to create an alert.
Thanks in advance
see @adonio 's answer to this question.
In addition, in Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435/) you can find some Use cases already developed and here another answer (https://community.splunk.com/t5/All-Apps-and-Add-ons/Example-of-how-to-detect-basic-brute-force-atta...).