How to search for 3 failed logins followed by 1 su... - Splunk Community

Splunk Search

Hello,

The question is pretty straightforward. I would like to alert if 3 failed logins followed by 1 successful login from one user is observed.

For example:

Minute	user	action
1st minute	xyz	failure
2nd minute	xyz	failure
3rd minute	xyz	failure
4th minute	xyz	success

If this condition occurs. I would like to create an alert.

Thanks in advance

see @adonio 's answer to this question.

https://community.splunk.com/t5/Splunk-Search/create-a-query-for-brute-force/m-p/382086

In addition, in Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435/) you can find some Use cases already developed and here another answer (https://community.splunk.com/t5/All-Apps-and-Add-ons/Example-of-how-to-detect-basic-brute-force-atta...).

Ciao.

Giuseppe

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open! conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor. HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...