Alerting

How to stop sending the same alert for failed logon attempts by the same user?

amal4885
Explorer

I've setup an alert on Splunk to send an Email when a user logs 3 failed logon attempts in 15mins.

host=MyDC AND ("EventCode=4625" OR "EventCode=4740") | stats count by user | search count > 3

Problem is most of the time these events get logged because of because of Mobile phones attempting to connect using the wrong password and users do not get locked out. So they continue to log failed logon events and continue to send out alerts.

Question: How do I stop it from alerting on the same user?

Tags (2)
0 Karma
1 Solution

sherm77
Path Finder

If you look at the same page for the more latest version (that @kml_uvce gave above), you will see that the "Set up throttling for a per-result alert" section is missing along with a few other sections that were deleted on May 9, 2014, but wasn't included anywhere else. We shouldn't have to point folks to earlier versions of documenation for current features.

Here's the top part of the section, you will see how to use the feature to throttle based on a value or multiple values returned. In my case, I want to throttle based on username & time of login.


Set up throttling for a per-result alert

On the alert actions page for a per-result alert, you can define its throttling rules. You use throttling to reduce the frequency at which an alert triggers. For example, if your alert is being triggered by very similar events approximately 10 times per minute, you can set up throttling rules that cut that frequency down to a much more manageable rate. Throttling rules are especially important for per-result alerts, because they are based on real-time searches and get triggered each time they find a matching result.

Splunk's alert throttling rules enable you to throttle results that share the same field value for a given number of seconds, minutes, or hours. For example, say you have a search that returns results with username=cmonster and username=kfrog every 2-3 minutes or so. You don't want to get these alerts every few minutes; you'd rather not see alerts for any one username value more than once per hour. So here's what you do when you define an alert for this search:

  1. Click the checkbox next to Throttling.

  2. In the Suppress results with field value field, enter username.

  3. In the Suppress actions for listbox, select minute(s).

  4. In the adjacent field, type in 60. This sets the throttling interval to 60 minutes.

Read the link above for the rest of the story...

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...