Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Transaction with WinEventLog:Security EventCodes 4624 and 4625

donaldwayne1975
Path Finder
‎04-04-2018 12:33 PM

Trying to figure out how to get a transaction search to show results where there are 5 or more failed logons (4625) and then a successful logon (4624). Have a transaction search that works, but all of the results are one failed logon followed by a successful logon. These are the typical fat-fingered the first time and then successfully logon scenarios. Want to see where there are more failed logon attempts and then the successful logon. Below is the base transaction search. Looked at the post ->
https colon slash slash answers dot splunk dot com/answers/351046/how-do-i-edit-my-transaction-search-to-find-over-3 dot html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev , but that seems to only work if one EventCode is in the search. Thank you in advance for your assistance.

index=wineventlog EventCode=4625 OR EventCode=4624 Account_Name!="*$" 
| transaction user, Workstation_Name maxspan=10m startswith=(action="failure") endswith=(action="success")
0 Karma
Reply

adonio
Ultra Champion
‎04-04-2018 12:47 PM

hello there,

here is a great answer by @lguinn for the same use case.
https://answers.splunk.com/answers/553596/detect-successful-bruteforce-attacksuccessful-logi.html
another great one by @woodcock
https://answers.splunk.com/answers/368521/how-can-i-detect-a-successful-login-after-multiple.html

hope those solves it for you, and if not, comment and we will keep at it

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...