- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: can some one help me with the query how to ge...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can some one help me with the query how to get successful login after multiple failed logins for windows ?
im trying to get the count of succesfful login after multiple login failure
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
tag=good_login OR tag=bad_login
| eval login_type=if(tag="good_login","Success","Failure")
| table _time AccountName login_type
| streamstats window=1 current=f latest(login_type) as next_login by AccountName
| streamstats count(eval(next_login!=next_login)) as group by AccountName
| stats count(eval(next_login!=next_login)) as mismatch count(eval(next_login!=next_login)) as match by AccountName group
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assume that you have created tags for the following event codes:
tag good_login for event codes 528 540 4624
tag bad_login for event codes 529 530 531 532 533 534 535 536 537 539 4625
You don't have to have the tags, but it makes this example a lot easier.
This is a very simple search, which says "find all accounts that have more than 1 failed login, and also have at least 1 successful login."
tag=good_login [ tag=bad_login | stats count by Account | where count > 1 | fields Account ]
| stats count by Account
Here is another search, which groups together all the logins for an account from a particular IP address and then looks for accounts that have a series of failures followed by a success
tag=good_login OR tag=bad_login
| eval login_type=if(tag="good_login","Success","Failure")
| transaction Account src_ip endswith=login_type=Success
| where login_type="Success" and login_type="Failure" and eventcount > 2
Hopefully this will get you started...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you
But im not getting exactly what i want.For example if 15 logon failures occured and 16 th attempt was success i need to get count as 15 logon failures and 1 success for 1 account.The same thing i should get for different accounts .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you share some data examples? I.e. What does a bad login look like? What does a good login look like?
Also can you share an example of the final report you would like to see?
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
