Re: How to search for 3 failed logins followed by ... - Splunk Community

Splunk Search

Hello,

The question is pretty straightforward. I would like to alert if 3 failed logins followed by 1 successful login from one user is observed.

For example:

Minute	user	action
1st minute	xyz	failure
2nd minute	xyz	failure
3rd minute	xyz	failure
4th minute	xyz	success

If this condition occurs. I would like to create an alert.

Thanks in advance

see @adonio 's answer to this question.

https://community.splunk.com/t5/Splunk-Search/create-a-query-for-brute-force/m-p/382086

In addition, in Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435/) you can find some Use cases already developed and here another answer (https://community.splunk.com/t5/All-Apps-and-Add-ons/Example-of-how-to-detect-basic-brute-force-atta...).

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now! In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...