datamodels Archives -

Find success login after 10 failures with streamstats

If you have the Authentication data model configured you can use the following search to quickly find successful logins after 10 failed attempts!

| from datamodel:"Authentication"."Authentication"
| search action=failure or action=success
| reverse
| streamstats window=0 current=true reset_after="(action=\"success\")" count as failure_count by src
| where action="success" and failure_count > 10

| from datamodel:"Authentication"."Authentication"

| search action=failure or action=success

| reverse

| streamstats window=0 current=true reset_after="(action=\"success\")" count as failure_count by src

| where action="success" and failure_count > 10

Continue Reading →

Search Traffic by Source IP

GoSplunk Admin Notes: If you have a data model enabled that matches the search below, this might work for you!

| datamodel Network_Traffic All_Traffic search | search All_Traffic.src_ip=10.x.x.x | stats count by All_Traffic.src_ip, All_Traffic.dest,All_Traffic.action, dstcountry | dedup All_Traffic.dest

1	\| datamodel Network_Traffic All_Traffic search \| search All_Traffic.src_ip=10.x.x.x \| stats count by All_Traffic.src_ip, All_Traffic.dest,All_Traffic.action, dstcountry \| dedup All_Traffic.dest

Continue Reading →

Sourcetype: datamodels

Find success login after 10 failures with streamstats

Search Traffic by Source IP