Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Tracking failed logins followed by successful logins using the transaction command

My
Engager
‎11-28-2021 06:25 PM

Hello,

I am trying to track failed logons followed by a successful one using the transaction command and the following criteria:

Limit the time span to 5 min,  add a startswith so each transaction will begin with a logon failure, add an endswith so each transaction will end with logon success and add a | where to find when the eventcount exceeds 3

this is what I have so farMy_0-1638152521000.png

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-29-2021 01:08 AM

Hi @My,

I don't like transaction command and I use it only when I haven't any other solution.

In your case, you could do this:

index=wineventlog sourcetype=xmlwineventlog:Security EventCode IN (4624,4625)
| stats dc(EventCode) AS dc_eventcode count(eval(EventCode=4625)) AS failed BY user host
| where dc_eventcode>1 AND failed>5

in this way you have the filter for more than 5 failed logins and a successful login grouped for user and host.

Ciao.

Giuseppe

0 Karma
Reply

rrovers
Contributor
‎11-29-2021 12:57 AM

I don't see what's wrong with this, except that I don't understand the "where eventcount >3". Without that I expect that it should give you the right results. Or what is it exactly that you are missing?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...