Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Transaction with WinEventLog:Security EventCodes 4624 and 4625

donaldwayne1975
Path Finder
‎04-04-2018 12:33 PM

Trying to figure out how to get a transaction search to show results where there are 5 or more failed logons (4625) and then a successful logon (4624). Have a transaction search that works, but all of the results are one failed logon followed by a successful logon. These are the typical fat-fingered the first time and then successfully logon scenarios. Want to see where there are more failed logon attempts and then the successful logon. Below is the base transaction search. Looked at the post ->
https colon slash slash answers dot splunk dot com/answers/351046/how-do-i-edit-my-transaction-search-to-find-over-3 dot html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev , but that seems to only work if one EventCode is in the search. Thank you in advance for your assistance.

index=wineventlog EventCode=4625 OR EventCode=4624 Account_Name!="*$" 
| transaction user, Workstation_Name maxspan=10m startswith=(action="failure") endswith=(action="success")
0 Karma
Reply

adonio
Ultra Champion
‎04-04-2018 12:47 PM

hello there,

here is a great answer by @lguinn for the same use case.
https://answers.splunk.com/answers/553596/detect-successful-bruteforce-attacksuccessful-logi.html
another great one by @woodcock
https://answers.splunk.com/answers/368521/how-can-i-detect-a-successful-login-after-multiple.html

hope those solves it for you, and if not, comment and we will keep at it

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...