Splunk Search

How to search for 3 failed logins followed by 1 successful login from one user to find brute force attacks?

mayurr98
Super Champion

Hello,

 

The question is pretty straightforward. I would like to alert if 3 failed logins followed by 1 successful login from one user is observed.

For example:

Minuteuseraction
1st minutexyzfailure
2nd minutexyzfailure
3rd minutexyzfailure
4th minutexyzsuccess

 

If this condition occurs.  I would like to create an alert. 

Thanks in advance

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mayurr98.

see @adonio 's answer to this question.

https://community.splunk.com/t5/Splunk-Search/create-a-query-for-brute-force/m-p/382086

In addition, in Splunk Security Essentials App (https://splunkbase.splunk.com/app/3435/) you can find some Use cases already developed and here another answer (https://community.splunk.com/t5/All-Apps-and-Add-ons/Example-of-how-to-detect-basic-brute-force-atta...). 

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...