splunk splunk-query intrusion-detection splunk-formula splunk-calculation

Finding brute force attacks with splunk

I have a few login failures then a success for Administrator and this is what I have but it doesn't seem to be getting any results:

source=WinEventLog:Security EventCode=4625 OR EventCode=4624 
 | bin _time span=5m as minute 
 | eval username=mvindex(Account_Name, 1)
 | stats count(Keywords) as Attempts,
 count(eval(match(Keywords,"Audit Failure"))) as Failed,
 count(eval(match(Keywords,"Audit Success"))) as Success by minute username
 | where Failed>=2
 | stats dc(username) as Total by minute 
 | where Total>3

Any ideas on a better way to find failed login attempts for a user and then a successful login?

Solution

The Splunk Security Essentials app has an example Brute Force Attempt Detection query.

Splunk query to find those final results that has events with unique combination of values of two keys in results of main search criteria
login-info.cfg Splunk file semantic and structure
Splunk SignalFX Synthetics: Is it possible to retrieve environment variable values in Javascript
Form a results table view from splunk multiple logs
Exclude unnecessary logs being sent to splunk cloud platform
How to Attach Splunk Search Results In JIra Via Terraform Automation?
Regex Substitue only on a specific group - sedcmd (Splunk)
Regex to only return matches when followed by a specific word
embeding conf files into helm chart
Splunk Logs for Faster Queries, with Category Boolean true
How to create a timechart in splunk for the timestamp and extracted field?
Match regex named group up until optional word
How can I access the TraceId generated by splunk-otel-collector within an ASP.NET web application?
Splunk result in Table format
Splunk: How to compute the difference of timestamps by id?
SPLUNK: How can I count events by location with a list of SERVERNAME's?
How to represent difference between same fields from two different and simultaneous searches in a table format in Splunk?
Java 11 HttpClient - POST issue
Flume sink to Splunk?
Questions related to splunk builtin macros in correlation search
how to send the local file using splunk forwarder docker image?
A table of counts of http status by URL
How do I use a specific date/time in Splunk dashboard with earliest and latest?
Splunk - Handling a blank token for a dashboard search
Splunk - Extracting from search results using regex and aggregates
Splunk - Grouping by distinct field with stats of another field
Trying to log to Splunk using logback appender
How can I download infinite results from a Splunk Search to Export the Data
Regex extraction from Right to Left
How to use Python via AWS Lambda to send millions (large quantities of data) of events to Splunk