Alerting

How to stop sending the same alert for failed logon attempts by the same user?

amal4885
Explorer

I've setup an alert on Splunk to send an Email when a user logs 3 failed logon attempts in 15mins.

host=MyDC AND ("EventCode=4625" OR "EventCode=4740") | stats count by user | search count > 3

Problem is most of the time these events get logged because of because of Mobile phones attempting to connect using the wrong password and users do not get locked out. So they continue to log failed logon events and continue to send out alerts.

Question: How do I stop it from alerting on the same user?

Tags (2)
0 Karma
1 Solution

sherm77
Path Finder

If you look at the same page for the more latest version (that @kml_uvce gave above), you will see that the "Set up throttling for a per-result alert" section is missing along with a few other sections that were deleted on May 9, 2014, but wasn't included anywhere else. We shouldn't have to point folks to earlier versions of documenation for current features.

Here's the top part of the section, you will see how to use the feature to throttle based on a value or multiple values returned. In my case, I want to throttle based on username & time of login.


Set up throttling for a per-result alert

On the alert actions page for a per-result alert, you can define its throttling rules. You use throttling to reduce the frequency at which an alert triggers. For example, if your alert is being triggered by very similar events approximately 10 times per minute, you can set up throttling rules that cut that frequency down to a much more manageable rate. Throttling rules are especially important for per-result alerts, because they are based on real-time searches and get triggered each time they find a matching result.

Splunk's alert throttling rules enable you to throttle results that share the same field value for a given number of seconds, minutes, or hours. For example, say you have a search that returns results with username=cmonster and username=kfrog every 2-3 minutes or so. You don't want to get these alerts every few minutes; you'd rather not see alerts for any one username value more than once per hour. So here's what you do when you define an alert for this search:

  1. Click the checkbox next to Throttling.

  2. In the Suppress results with field value field, enter username.

  3. In the Suppress actions for listbox, select minute(s).

  4. In the adjacent field, type in 60. This sets the throttling interval to 60 minutes.

Read the link above for the rest of the story...

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...