Splunk Search

Transaction with WinEventLog:Security EventCodes 4624 and 4625

donaldwayne1975
Path Finder

Trying to figure out how to get a transaction search to show results where there are 5 or more failed logons (4625) and then a successful logon (4624). Have a transaction search that works, but all of the results are one failed logon followed by a successful logon. These are the typical fat-fingered the first time and then successfully logon scenarios. Want to see where there are more failed logon attempts and then the successful logon. Below is the base transaction search. Looked at the post ->
https colon slash slash answers dot splunk dot com/answers/351046/how-do-i-edit-my-transaction-search-to-find-over-3 dot html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev , but that seems to only work if one EventCode is in the search. Thank you in advance for your assistance.

index=wineventlog EventCode=4625 OR EventCode=4624 Account_Name!="*$" 
| transaction user, Workstation_Name maxspan=10m startswith=(action="failure") endswith=(action="success")
0 Karma

adonio
Ultra Champion

hello there,

here is a great answer by @lguinn for the same use case.
https://answers.splunk.com/answers/553596/detect-successful-bruteforce-attacksuccessful-logi.html
another great one by @woodcock
https://answers.splunk.com/answers/368521/how-can-i-detect-a-successful-login-after-multiple.html

hope those solves it for you, and if not, comment and we will keep at it

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...