Hello,
I have this search string:
source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR (EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") minutesago="20" | eval User_Name=coalesce(User_Name,Account_Name) | stats count by host, User_Name, Logon_Desc | sort -count | search count > 2
it alerts on failed logins across our windows servers. If there are >2 failed logins on a server by a user, it alerts.
What I would like, is it alerts on >2 failed logins on a server in the time period, regardless of the username. Right now it alerts if bsmith fails 3 times, but I want it to alert if someone is trying admin, administrator, and root. Three failed logins on a specific server instead of a specific username on a specific server.
However, the output I want is still the host, the username, and the logon type (which is simply a lookup for whether they are connecting via RDP, at the console, etc.). I need to know what usernames they are actually trying.
I cannot seem to tweak this the right way....
Thanks for any help.
Kevin
Seems you can do a conditional alert. Use the above search, drop the | search count > 2
, condition it on stats sum(count) as count by host | where count > 3
.
Gerald's answer will work, but if you're running this ad-hoc (not in an alert):
| stats count,list(User_Name),list(Logon_Desc) by host
You can also use values() instead of list(). The difference is described here: http://www.splunk.com/base/Documentation/4.1.5/SearchReference/CommonStatsFunctions
Gerald's answer will work, but if you're running this ad-hoc (not in an alert):
| stats count,list(User_Name),list(Logon_Desc) by host
You can also use values() instead of list(). The difference is described here: http://www.splunk.com/base/Documentation/4.1.5/SearchReference/CommonStatsFunctions
Seems you can do a conditional alert. Use the above search, drop the | search count > 2
, condition it on stats sum(count) as count by host | where count > 3
.