Alerting

Only alert if event happens X times, but display all events

Branden
Builder

I'm having a small dilemma with an alert that a user would like created...

Quite simply, we want to be alerted if a username has 3 or more failed login attempts in a 30 minute period. And if that alert triggers, I want to display ALL failed login attempts for that 30 minute period.

It sounded simple, but this turned out to be harder than I thought.

When I configure the alert to trigger if "Number of events > 3", it will trigger if ANY three users fail. I only want it to trigger if the same user fails (in the past 30 minutes).

Is there a way to do this? I'm running v4.3.3.

Thanks!

Tags (2)
1 Solution

echalex
Builder

Hi,

Sounds to me, that what you are trying to do is more or less the same as in this example in the documentation.

Basically, you add something like "| stats count by user"
into the search and create a custom alert trigger such as "search count > 3".

HTH!

View solution in original post

echalex
Builder

Hi,

Sounds to me, that what you are trying to do is more or less the same as in this example in the documentation.

Basically, you add something like "| stats count by user"
into the search and create a custom alert trigger such as "search count > 3".

HTH!

Branden
Builder

Nevermind, I think I figured out why that procedure didn't work at first. Turns out it was behaving as expected after all. Thanks again, your link was very helpful!

0 Karma

echalex
Builder

Answer has been corrected now.

0 Karma

echalex
Builder

Oops, there was a minor typo in my answer. Perhaps this affected your results?

You need the "search" keyword in the custom condition, so it will restrict the results to only having more than three failures.

0 Karma

Branden
Builder

Thank you for your response.
Hmm..... the example you pointed me to is exactly what I need. And I followed the example verbatim, but it's not working as expected. It alerts regardless of how many login failures (even if less than three). And the alert report it provides is uninformative, but I can tweak that on my own.

But because the example you linked me to is exactly what I need, I think something else is weird on my end. I may open up a tech support ticket to get this worked out.

Thank you very much for the tip!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...