- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search for a threshold of failed logins fol...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to search for a threshold of failed logins followed by a successful login from a user?
I found another thread where the user was trying something similar, with this string:
index= | transaction src_ip,user startswith="Login failed " endswith="Login succeeded" maxspan=15m maxpause=8h | stats avg(duration)
Which doesn't go off of any kind of threshold, so a single logon failure followed by a success would be shown. It was suggested, but not exactly how, to use eventstats to create a kind of count for the "Login failed"s so that a threshold could be specified, but the syntax wasn't covered, and I'm still too new to Splunk to get it right. I've been playing around with it a little bit, and was trying something like:
index= | transaction src_ip,user startswith=["Login failed" | eventstats count(src_ip) as count | where count > 10] endswith="Login succeeded" maxspan=30m
But it gives an error, which I kind of expected. I just don't understand the Splunk functions, syntax, and piping well enough to know how to get that startswith = . Do you have to run eventstats first and pipe that into the transaction to use the 15 failed logons in the transaction instead of "Login success", or can you do some kind of subsearch like I was trying with a different syntax?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe this will give you something to work with
index=* | rex "(?<status>failed|succeeded)" | reverse | streamstats sum(eval(if(status="succeeded", 1, 0))) as session by src_ip user | stats count list(status) by src_ip user session | where count >= 10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi rwmilligan,
You can try to use this search:
index= | transaction src_ip,user startswith="Login failed " endswith="Login succeeded" maxspan=15m maxpause=8h | search eventcount > 5 | stats avg(duration)
With this search I created a threshold of more than 5 events in the transaction this will show at least 5 failed logins and one succeeded.
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe I'm misunderstanding how these functions work, but would that not just try to find 5 events of a failed logon followed by a successful logon? How doesthe search eventcount differentiate from the startswith and endswith out of the transaction getting piped into it? Either way, it doesn't seem to be working for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI rwmilligan, in this example it groups together all events between "Login failed" and "Login succeeded" with fields src_ip and user that are equal, doesn't matter how many events between then. After grouping the events together Splunk creates a field called "eventcount" that show how many events were groupped together thas why I'm searching for "eventcount greater than 5".
Did the events were groupped together using the transaction command? Could you post the example of the output of the transaction command?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
