Complex Conditional search based on time

ashutoshab · ‎07-03-2017

I am a newbie in splunk and practising to learn it slowly.

I have a setup where I am forwarding logs of Windows Machine to splunk. I practise using this setup.
As a practice, I have a use case where I want to trigger an alert if there 5 Failed Logon Attempts (on windows machine) in 30 minutes (or any time range) from Same Account OR Same Network Address.

I can write the search part to identify failed Logon Attempts on windows, But failing to write the further search query.

source="WinEventLog:security" sourcetype="wineventlog:security" (EventCode=4625 OR EventCode=4648 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) 
| stats count by host | where count>5

Now I need help regarding the Time Condition and Two subsearches where I can identify Account_Name or Network_Address to be greater than 5

somesoni2 · ‎07-03-2017

Try this

source="WinEventLog:security" sourcetype="wineventlog:security" (EventCode=4625 OR EventCode=4648 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) 
| strcat Account_Name " " Network_Address Alert_Field
 | stats count by Alert_Field | where count>5

Complex Conditional search based on time

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life