I'm trying to see if there's a way to monitor who accesses Splunk and create alerts around that?
Try this. It will look at all login attempts and trigger an alert when a user has more than 1 login failure
index=_audit login action=success OR action=failure
| stats count by user, action
| search action=failure count>1
Try this. It will look at all login attempts and trigger an alert when a user has more than 1 login failure
index=_audit login action=success OR action=failure
| stats count by user, action
| search action=failure count>1