<search> (ipaddress="1.1.1.1" OR ipaddres="1.1.1.2") ... View more

Hi @cedSplunk2023, I'was speaking of the system to identify vulnerabilities, not the target systems: are you using Nessus, Tenable or Qualys or which solution? How did you indexed logs, which Add- On did you use? Did you already indexed logs? Ciao. Giuseppe ... View more

Hi @cedSplunk2023, your question is just a little vague! failed password on which opeating system (windows, Linux, etc...) or application or appliance? Anyway to answer to this question you don't need a Splunk expert but of someone that knows the target environment. e.g. to find the failed password on windows, you have to search for EventCode=4625, for Splunk, you have to search "ERROR AuthenticationManagerSplunk - Login failed". In addition you need to know in which index data are stored, e.g. Splunk logs are in "_internal", winevenlogs are usualli in "wineventlog", in conclusion to find the failed logins in windows, you have to search: index=wineventlog EventCode=4625 to find the failed logins in Splunk, you have to search: index=_internal "ERROR AuthenticationManagerSplunk - Login failed" Remember that finding something in Splunk depends on the 70% on your knowledge of the target and 30% on your Splunk knowledge. Ciao. Giuseppe ... View more