Feedback
Got feedback? We want it! Submit your comments and suggestions for our community here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I need to create a rule to get alerts

asakha
Observer
3 weeks ago
  1. Alert when end-users has logged onto the VPN entry point more than 5 times in a day.
  2. A fail-to-ban feature of IP address if their login fails more than 3times in 1hr.
  3. A weekly report of the end-users IP address logging attempting to log into the VPN entry point.
0 Karma
Reply

kiran_panchavat
Communicator
3 weeks ago

@asakhaYou have to adjust your correlation search as per your fields.This is just a reference.

Alert when end-users has logged onto the VPN entry point more than 5 times in a day.

index=<indexname> sourcetype=<sourcetypename> status=success | stats count by user, _time | bin _time as day | where count > 5 | table user, day, count

A fail-to-ban feature of IP address if their login fails more than 3times in 1hr.

index=<indexname> sourcetype=<sourcetypename> action=failure
| stats count as failed_login_count by src_ip, _time span=1h
| where failed_login_count > 3
| table src_ip, _time, failed_login_count
| eval ban_message="IP address " . src_ip . " exceeded failed login attempts (" . failed_login_count . ")."

Weekly Report of End-Users’ IP Addresses Attempting VPN Logins

index=vpn_logs sourcetype="your_vpn_sourcetype"
| stats count as login_count by user, src_ip, _time span=1w
| table user, src_ip, _time, login_count

 

 

Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...