Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert - Brute Force Attacks

monteirolopes
Communicator
‎10-06-2016 06:20 AM

Hello guys,

I would like to know how to set an alert that will list attempts of brute force attacks.
At moment I'm created the follow query:

source="WinEventLog:Security" | transaction user, ip maxpause=5s maxevents=500 | where eventcount > 5 | table user, ip, eventcount

5 login attempts in 5 seconds by user.

In my case, how to save this query like an alert? Is it scheduled or real-time?
Is it possible do this alert?
Can anybody help me?

Best regards,
Lopes.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-06-2016 07:42 AM

after the search query bar and just above the time-picker, you have a "Save As" down drop menu.
it will give you three options - Report, Dashboard panel, Alert. choose the 3rd one - Alert.

Scheduled Vs Real-time alerts - for alert type comparisions -
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/AlertTypesOverview

this is for creating scheduled alerts -
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Definescheduledalerts

once the alert condition got matched (5 login attempts in 5 seconds by user), you can create an email notification -
http://docs.splunk.com/Documentation/Splunk/6.4.3/Alert/Emailnotification

Reply

monteirolopes
Communicator
‎10-06-2016 09:26 AM

I didn't understand the rules/conditions for my alert trigger.
On my query I am listing only the results that I want receive form mail, but, How Can I set the alert for this case?

Thanks.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-06-2016 09:31 AM

for this requirement, you can choose the trigger condition as "Number of Results is greater than 0"

alt text

0 Karma
Reply

monteirolopes
Communicator
‎10-06-2016 11:04 AM

And about the type: scheduled? Every 5 seconds ? How I do that?

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-06-2016 11:14 AM

Maybe, you can choose a real time alerting.
regarding alert scheduling, maybe, you can choose "every min" and check for 60 logins. (60logins in 60 seconds)

0 Karma
Reply

monteirolopes
Communicator
‎10-06-2016 11:41 AM
  • It does not work in real-time , the amount of events is incremental.
  • Alert scheduling (60 login in 60 seconds) doesn't configure brute force attack.
0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...