×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
kfettig
Explorer
Member since: ‎06-07-2018
‎06-05-2020
Community Statistics
Posts 4
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎06-07-2018
Activity Feed
View All

Re: Need help writing query to alert if an account...

by in Alerting
‎06-13-2018 10:13 AM
‎06-13-2018 10:13 AM
Hi again, Below is the query that I eventually came up with. I needed it to only fire an alert if a user+host combination had a certain number of failed logon attempts followed by a successful event within 10 minutes. Another thing I noticed is that event ID 4625 can also be logged in the Application log (I don't recall what logs it), and that Windows 2008R2 and Windows 2012R2 call the name of the file different names: Logfile and LogName, hence that addition to the beginning of the query. Hope this is helpful to someone else. ("Logfile=Security" OR "LogName=Security") AND (EventCode=4625 OR EventCode=4624) | eval username=mvindex(Account_Name, 1) | streamstats count(eval(match(EventCode, "4625"))) as Failed, count(eval(match(EventCode, "4624"))) as Success reset_on_change=true by username | eval alert=if(Failed>3, "yes", "no") | where Failed > 3 | eval newname=username, newhost=host | where (Success > 1 AND host=newhost AND username=newname) | eval end_alert="YES" | table _time, username, host, Failed, Success, alert, newname, newhost, end_alert ... View more

Re: Need help writing query to alert if an account...

by in Alerting
‎06-08-2018 09:24 AM
‎06-08-2018 09:24 AM
Ok, I've tried the query as-is. It's returning results, but I need help to narrow it down even more. As it is written, it's just looking for the word "success" and the word "failure" and counting them up. I only want to track situations where there is more than one failed logon from the same account name on the same host in 10 minutes, and if there are >5 failed attempts from the same account name on the same host, look for a successful logon from that account name on that host. If that successful logon is found, send an alert. The specific event IDs in question are 4624 (successful logon), 4625 (failed logon), and 4776 (NTLM successful and failed). Does this make sense? I don't have any code to post yet since I'm stuck at the gate. Again, any and all help is much appreciated. ... View more

Re: Need help writing query to alert if an account...

by in Alerting
‎06-08-2018 07:15 AM
‎06-08-2018 07:15 AM
Hi kmorris, Thank you for getting back to me so quickly. I appreciate your time. It doesn't work as-is, but definitely points me in the right direction. Thank you also for recommending the Security Essentials. I hadn't heard of that before. I'm going to play with your query now. I'm sure I will need your help again at some point, but then I'll at least have some SPL for you. Warm regards, Kristen ... View more

Need help writing query to alert if an account has...

by in Alerting
‎06-07-2018 10:40 AM
‎06-07-2018 10:40 AM
Hello, everyone - I'm a complete n00b to Splunk and am in need of some direction and help. I need to write a query to alert when an account fails to authenticate to the same Windows server 5 times, followed by a successful logon, within a 10 minute span. I've read and experimented so much that it's all starting to be nonsensical. Any help writing this query is much appreciated. Warm regards, Kristen ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM