We are using a basic use case to test two methods to do event correlation in Splunk.
Method 1 Regex:
(eventtype="Logon_Success" OR eventtype="Failed_Logins")|stats list(eventtype) as list by Account_Name|eval list = mvjoin(list, " ")|eval alert = if(match(list,"((Failed_Logins.*){3,}?)(Logon_Success\s?)"),"True","False")|search alert="True"
Method 2:
Step 1: Create Active List similar to ArcSight (list that accumulates events)
(eventtype="Failed_Logins")|eval last_seen = now()| inputlookup append=t mylist| table Account_Name, EventCode, eventtype, _time, last_seen| eval now = now()|eval ttl = 3600 * 24| where (now - last_seen) < ttl |table Account_Name, EventCode, eventtype, _time, last_seen, now, ttl| outputlookup mylist.csv
Step 2: Refer to lookup list to trigger alert
sourcetype="WinEventLog:Security" EventCode=4624 OR EventCode=528 OR EventCode=540
|stats count by Account_Name
|eval state="Sucess"
|append [inputlookup mylist.csv|stats count by Account_Name| where count >=3 | eval state="Failed"]
Question: I am having difficulty on this step. How do you trigger an alert with 3 failed logins (this event happens first) followed by a successful login? I find the inputlookup command limiting.
Any suggestions or other methods is also appreciated.
Thank you.
... View more