subsearch for failed login

hok2010 · ‎01-19-2019

hi guys i wanted to search for a list of failed login attempts by privileged users from existing successful logons (EventCode=4672).
I tied to do a subsearch but resulting in a false positive
Other non-privilleged users also comes in to my result.

index=main sourcetype="wineventlog:security" EventCode=4625
| eval Account_Name=mvindex(Account_Name,1)
| search Account_Name!=$
| append
[ search index=main sourcetype="wineventlog:security" EventCode=4672 Account_Name!=$
| table Account_Name]
| table _time EventCode Account_Name

kamlesh_vaghela · ‎01-19-2019

@hok2010

Can you please try this?

index=main sourcetype="wineventlog:security" (EventCode=4625 OR EventCode=4672 ) 
| eval Account_Name=mvindex(Account_Name,1) 
| search Account_Name!=$ 
| table _time EventCode Account_Name 
| stats latest(eval(if(EventCode=="4625",_time,NULL))) as _time count(eval(EventCode="4625")) as EventCode_4625 count(eval(EventCode="4672")) as EventCode_4672 by Account_Name  | where EventCode_4625=1 AND EventCode_4672=1
| table _time EventCode_* Account_Name

My Sample Seach:

| makeresults 
| eval EventCode=4625,Account_Name="AAA" 
| append 
    [| makeresults 
    | eval EventCode=4625,Account_Name="BBB"] 
| append 
    [| makeresults 
    | eval EventCode=4672,Account_Name="BBB"] 
| search (EventCode=4625 OR EventCode=4672 ) 
| stats latest(eval(if(EventCode=="4625",_time,NULL))) as _time count(eval(EventCode="4625")) as EventCode_4625 count(eval(EventCode="4672")) as EventCode_4672 by Account_Name  | where EventCode_4625=1 AND EventCode_4672=1
| table _time EventCode_* Account_Name

Thanks

subsearch for failed login

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM