Hello,
The question is pretty straightforward. I would like to alert if 3 failed logins followed by 1 successful login from one user is observed.
For example:
Minute | user | action |
1st minute | xyz | failure |
2nd minute | xyz | failure |
3rd minute | xyz | failure |
4th minute | xyz | success |
If this condition occurs. I would like to create an alert.
Thanks in advance
Hi @mayurr98.
see @adonio 's answer to this question.
https://community.splunk.com/t5/Splunk-Search/create-a-query-for-brute-force/m-p/382086
In addition, in Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435/) you can find some Use cases already developed and here another answer (https://community.splunk.com/t5/All-Apps-and-Add-ons/Example-of-how-to-detect-basic-brute-force-atta...).
Ciao.
Giuseppe