Splunk failed login attempts per user

You are right I want top 10 over the span of the entire search.

What I am trying to achieve is getting a list of the 10 ten users who had the most failed attempts over the entire search period. Then put that list into a line or area chart that shows the number of failures each day for each user over the selected time period. In our case it will probably be 3-6 months.

We are looking for users who have large number of failed login attempts over a long period of time but want to break it down into chunks like per day so we can see if all the failures for a given user was all in a single day or if it happens in smaller chunks consistently over each month or even each day. This would help tell us if the account was under attack or if the user uses sites like mint.com to login to login to our site to check account balances automatically.

If they sign into a system like mint.com put in their credentials then change their credentials later on our site and forget to change them in mint.com we would expect to see consistent failed traffic each day from that account.

A good place to start.
http://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/56b36b4d3c44d86cf33341ca/1454598990...

This is the one I use for failed login events.

index=yourindex
sourcetype="WinEventLog:Security" 
EventCode=4625
|fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time  |sort + Security_ID

In case you want it, here is successful login events.

index=yourindex
sourcetype="WinEventLog:Security" 
EventCode=4624 
|fillnull value=NULL
| eval Account_Name = mvindex(Account_Name,1) 
| eval Security_ID = mvindex(Security_ID,1) 
| eval LoginType=case(Logon_Type=3,"RPC (not RDP)",Logon_Type=4,"Batch",Logon_Type=5,"Service",Logon_Type=7,"Screen Unlock/Session Resume",Logon_Type=10,"Remote Desktop",Logon_Type=11,"Cached",Logon_Type=9,"New Credentials")
|stats count(Security_ID) as "Login Events" by Security_ID, Account_Name, LoginType,host,_time  |sort + Security_ID

Comments

1. chris October 14, 2022 at 4:29 pm

   index=_audit tag=authentication | dedup user | stats count by user, info timestamp | sort – info

   Reply

Leave A Comment?

Comment

Name *

Email *

Website

Sign me up for the newsletter!

Comments

1. JayhawkATL January 30, 2016 at 11:52 am

   I get zero events over All Time when I search for:

   index=_audit action=”login attempt”

   Logging parameter not set correct???

   1. SplunkNinja February 1, 2016 at 8:06 am

      I’ve made a revision. Looks like either I had a custom defined field, or the splunk search language has changed (most likely the former).

      Thanks for pointing this out :)

      1. Jay September 4, 2019 at 9:45 am

         Where is the revised version?

         1. SplunkNinja September 5, 2019 at 2:30 pm

            It’s been….~6 months. I’m going to assume I updated the original here :)

2. Pogoista June 23, 2021 at 5:16 am

   index=_internal source=”/opt/splunk/var/log/splunk/splunkd.log” ERROR UiAuth

Leave A Comment?

In which index can you find information about failed login attempts to Splunk Web?

How do I search for Splunk errors?

Which of the following searches will return results containing the words fail failure or failed in Splunk?

What determines the timestamp in Splunk?