问题描述
我遇到了几次登录失败,然后管理员成功了,这是我所拥有的,但似乎没有得到任何结果:
source=WinEventLog:Security EventCode=4625 OR EventCode=4624
| bin _time span=5m as minute
| eval username=mvindex(Account_Name,1)
| stats count(Keywords) as Attempts,count(eval(match(Keywords,"Audit Failure"))) as Failed,"Audit Success"))) as Success by minute username
| where Failed>=2
| stats dc(username) as Total by minute
| where Total>3
有什么更好的方法来找到用户的失败登录尝试然后成功登录的想法吗?
解决方法
Splunk Security Essentials应用程序具有一个示例“蛮力尝试检测”查询。