Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Usernames Failed to Login against an IP Address | which other IP Addresses has that Username Failed to login against?

JgTheGreat
Engager
‎11-11-2017 07:04 AM

Hello,

I'm looking for a query, which looks for successful [ or unsuccessful ] brute force attempts, and then to take the Username that was [ or unsuccessfully/successfully logged in and then automatically return which other (if any) IP's that account was logged into.

Virtual beers and a high five on offer here 😄

KJG

Tags (1)
0 Karma
Reply

mayurr98
Super Champion
‎11-11-2017 07:37 AM 
index=your_index status=succes OR status=unsuccessful | stats values(srcip) by users status

If you give me sample event and field names associated with it I can give you proper query.

0 Karma
Reply

mayurr98
Super Champion
‎11-11-2017 07:39 AM

You need to edit these query according to naming of the field names in your data.

0 Karma
Reply

JgTheGreat
Engager
‎11-11-2017 07:42 AM

Query in original question - hope that this helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...