Hello my Splunk Ninjas,
Ihave a tough one I am trying to figure out. I have a report that gives me:
index=blah sourcetype=unix action=failure
| lookup approved_server_ips ip as src OUTPUT filter
| search filter=0
| eval Local_1=split(upper(user),"\")
| eval Local_Account_Name=if(isnull(mvindex(Local_1,1)),user,mvindex(Local_1,1))
| rename src as Source_Device_IP, Local_Account_Name as Failed_Account_Name
| stats count by index,Failed_Account_Name,Source_Device_IP,host
| where count>4
| sort by -count
| head $Local_alert_count$
This search runs fine however, I have instances where I will get a failed "root" login immediately followed by a successful login on the same system....
14:30:00 - 192.555.1.1 root Failed
14:30:02 - 192.555.1.1 root Success
I need to be able to eval theses and if I see a system (Source_Device_IP) with a "Failed" attempt immediately followed by a Success, do not report this system, perhaps something along these lines?
| eval alert = if(match(list, "(?:failure\s?){1,}(?:success)"), "True", "False")
Hi dsmeerkat,
I should try to extract a filed with result of login, the add this field to starts and then use this field to filter, something like this:
index=blah sourcetype=unix action=failure
| lookup approved_server_ips ip as src OUTPUT filter
| search filter=0
| eval Local_1=split(upper(user),"\\")
| eval Local_Account_Name=if(isnull(mvindex(Local_1,1)),user,mvindex(Local_1,1))
| rename src as Source_Device_IP, Local_Account_Name as Failed_Account_Name
| rex "(?<Result>Failed|Success)"
| stats values(Result) AS Result count by index,Failed_Account_Name,Source_Device_IP,host
| where count>4
| sort by -count
| search Result=Failed Result=Success
| head $Local_alert_count$
(verify regex).
Bye.
Giuseppe
Or better yet an eval against epochtime may be better