Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Logon Failures - Different User Accounts - Same Workstation IP

itsmevic
Communicator
‎01-29-2020 05:39 AM

Hi,

 Does anyone have any SPL that looks at multiple logon failures utilizing event codes 672, 675, 676, 4768 and 4771?  The parameters behind this query would be: 

1.) Where client address is the same
2.) But the username is different
3.) Within X minutes

index=wineventlog sourcetype=* EventCode="672" OR "675" OR "676" OR "4768" OR "4771"
| table _time src user
Tags (2)
0 Karma
Reply

gfreitas
Builder
‎01-29-2020 05:48 AM 
index=wineventlog sourcetype=* EventCode="672" OR "675" OR "676" OR "4768" OR "4771"
| stats values(username) as usernames, dc(username) as user_num by src_ip
| where user_num > 1

Above should work, just make sure there is a src_ip on your data otherwise change it to the desired IP field

0 Karma
Reply

nickhills
Ultra Champion
‎01-29-2020 05:46 AM

Add this to the end of your query

|timechart dc(user) as failedUsers by src span=15m|where failedUsers>1

Does that get you close to what you are after?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...