Splunk Enterprise Security

Splunk Enterprise Security: How to search for Failed Login followed by Successful Login?

dellytaniasetia
Explorer

Hello,

Anyone successfully implement search for 2 failed login followed by a successful login in Windows?

Here is my search but no idea how to specifically filter for failed and successful login event

sourcetype="WinEventLog:Security" | transaction  Account_Name Hostname maxevents=3 maxspan=300s

There are few questions raised but seems nothing works.

0 Karma

Splunker
Communicator

I don't have ES in front of me, but i believe the "Brute Force Access" (words to that effect) correlation-search looks for "try/fail, try/fail, try/succeed" (within 1 day if memory serves, but could be wrong..) no matter if it's Windows or anything else, and it's also built into ES.

ES does it via tags and CIM knowledge provided in the apps/TA's.

Hope it helps.

0 Karma

sundareshr
Legend

Try this (please verify rex for "status" field)

sourcetype="WinEventLog:Security" | rex "(?<Status>Success|Fail") | bin span=5m _time | stats list(Status) as Status by _time Hostname Account_Name | where  mvindex(Status, 0)="Fail" mvindex(Status, 1)="Fail" mvindex(Status, -1)="Success | ...
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...