Hello, fellow splunkers!
What I am trying to do is to detect a successful login after multiple failed attempts. I've been trying to get a working search for Windows and Linux but wasn't very successful.
For Linux I found a search posted as answer to a similar question from 2011. I adapted it and at least it does something - but not quite what I want.
"failed password" OR "accepted password"| stats list(action) as list by host, user | eval list = mvjoin(list, " ") | eval alert = if(match(list, " (?:failure\s?){3,}"), "True", "False")
It is supposed to write True in the last column, if there are 3 or more failed logins followed by a successful login. However, no matter what I try, the list it tries to match always contains two failures followed by one success, so that the matching condition is never met. (see screenshot for clarification)
![list][1]
For Windows, I tried writing my own search by using transactions.
(eventtype="win_logon_failed" OR eventtype="win_logon_success") AND (NOT user=HealthMailbox* NOT user=*$*)|stats count by Account_Name, src| where count > 5 | transaction Account_Name startswith=eval(EventCode=4625) endswith=eval(EventCode=4624)
The problem I am facing in this case, is that I can't seem to tell Splunk that there need to be a total of at least 6 Events (5 failed + 1 successful logins).
Can anyone please tell me how to write such queries correctly?
Thanks in advance!
[1]: /storage/temp/105186-list.png
↧