I am a newbie in splunk and practising to learn it slowly.
I have a setup where I am forwarding logs of Windows Machine to splunk. I practise using this setup.
As a practice, I have a use case where I want to trigger an alert if there 5 Failed Logon Attempts (on windows machine) in 30 minutes (or any time range) from Same Account OR Same Network Address.
I can write the search part to identify failed Logon Attempts on windows, But failing to write the further search query.
source="WinEventLog:security" sourcetype="wineventlog:security" (EventCode=4625 OR EventCode=4648 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539)
| stats count by host | where count>5
Now I need help regarding the Time Condition and Two subsearches where I can identify Account_Name or Network_Address to be greater than 5
Try this
source="WinEventLog:security" sourcetype="wineventlog:security" (EventCode=4625 OR EventCode=4648 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539)
| strcat Account_Name " " Network_Address Alert_Field
| stats count by Alert_Field | where count>5