This query will show a timechart of the status of an Locked Out Account
1 |
sourcetype="WinEventLog:Security" EventCode=4625 AND Status=0xC0000234 | timechart count by user | sort -count |
This query will show a timechart of the status of an Locked Out Account
1 |
sourcetype="WinEventLog:Security" EventCode=4625 AND Status=0xC0000234 | timechart count by user | sort -count |
1 |
host=insertHostnameHere sourcetype=access_combined | timechart span=1h dc(sourceIP) |
If you have Fieldextraction for the visitor IP’s, in this example named ‘sourceIP’, this simple query will list the number of unique visitors per hour
The following splunk search will return a timechart of all successful logons for a given linux environment (regex provided):
1 |
sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication success" | timechart count(username) |
The following splunk search will return a timechart of all failed logons for a given linux environment(regex provided):
1 |
sourcetype=linux_secure |rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?<session>gdm-\w+)\S:\s"| search session=gdm-password | rex "\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)\s.+\Sgdm-password:auth\S:\s(?<authstatus>\w+\s\w+);\s.+user=(?<username>\S+)" | search authstatus="authentication failure" | timechart count(username) |