splunksplunk-queryintrusion-detectionsplunk-formulasplunk-calculation

Finding brute force attacks with splunk


I have a few login failures then a success for Administrator and this is what I have but it doesn't seem to be getting any results:

source=WinEventLog:Security EventCode=4625 OR EventCode=4624 
 | bin _time span=5m as minute 
 | eval username=mvindex(Account_Name, 1)
 | stats count(Keywords) as Attempts,
 count(eval(match(Keywords,"Audit Failure"))) as Failed,
 count(eval(match(Keywords,"Audit Success"))) as Success by minute username
 | where Failed>=2
 | stats dc(username) as Total by minute 
 | where Total>3

Any ideas on a better way to find failed login attempts for a user and then a successful login?


Solution

  • The Splunk Security Essentials app has an example Brute Force Attempt Detection query.