Re: Creating an alert to find fail login within 15...

normangoh · ‎06-16-2015

Hi guys,

I need to create this alert that will fetch failed logins that happen more than 3 times within 15 minutes and display the results as user and the number of events per that user.

I am thinking using something like:

index=indexName eventtype="failed_logins" | bucket _time span=15m

or

index=indexName eventtype="failed_logins" | tranactions <something?> maxspan=15m

Anyone experts can give me some guide?

stephanefotso · ‎06-16-2015

Hello! Here you go

index=indexName eventtype="failed_logins" |stats count

Save it as an Alert!

Title: Failed_alert
Alert Type: Real Time
Trigger Condition: Number of Results
Trigger if Number of Results is : Greater than 3
in : 15 min

For more information, Read here :http://docs.splunk.com/Documentation/Splunk/6.2.3/Alert/Definerolling-windowalerts

Thanks

SGF

gyslainlatsa · ‎06-16-2015

hi normangoh,
write your query

 index=indexName eventtype="failed_logins"

and backup simply as an alert with the following characteristics:

when your research to see all the results, you can use the following query:

 index = indexName eventType = "failed_logins" user = * |table  user  _raw

Creating an alert to find fail login within 15 minutes with a hit of higher than 3 times?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio