Splunk Search

How to search for 3 failed logins followed by 1 successful login from one user to find brute force attacks?

mayurr98
Super Champion

Hello,

 

The question is pretty straightforward. I would like to alert if 3 failed logins followed by 1 successful login from one user is observed.

For example:

Minuteuseraction
1st minutexyzfailure
2nd minutexyzfailure
3rd minutexyzfailure
4th minutexyzsuccess

 

If this condition occurs.  I would like to create an alert. 

Thanks in advance

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mayurr98.

see @adonio 's answer to this question.

https://community.splunk.com/t5/Splunk-Search/create-a-query-for-brute-force/m-p/382086

In addition, in Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435/) you can find some Use cases already developed and here another answer (https://community.splunk.com/t5/All-Apps-and-Add-ons/Example-of-how-to-detect-basic-brute-force-atta...). 

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...