Alerting

How can I set an alert when there is X numbers of failed logon attemps to get into the domain?

Silverfeyn
Explorer

Hi, I need to set an alert to warn me when someone is trying to get into the domain and had failed multiple times, I know that Windows had the logs for that, but I want it to send me an alert if this is happen in real time.

Thanks in advance, I'm a newbie in splunk : /

Tags (4)

mbenwell
Communicator

Use the stats command to count the number of events by username.
...| stats count by user

Then use the where command to add a condition for which you want to match on.
...| where count > 5

After that create the alert to trigger when there is a result returned

kml_uvce
Builder

try this
go to manager->searches and reports->new
http://docs.splunk.com/Documentation/Splunk/5.0.2/Alert/Setupalertactions

0 Karma

kml_uvce
Builder

Eventid=4776|stats count by user|where count > 2
or
<"your search to findout failed login">|stats count by user|where count > 2.

and create alert

0 Karma

Silverfeyn
Explorer

The problem is, what I need to search for? The event ID is 4776, but how can I set a search to look up for more than 2 failed loggin attemps on the same account, for example?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...