Splunk Security Essentials应用程序有一个Brute Force Attempt Detection查询示例。
我有几次登录失败,然后管理员成功了,这就是我所拥有的,但似乎没有得到任何结果:
source=WinEventLog:Security EventCode=4625 OR EventCode=4624
| bin _time span=5m as minute
| eval username=mvindex(Account_Name, 1)
| stats count(Keywords) as Attempts,
count(eval(match(Keywords,"Audit Failure"))) as Failed,
count(eval(match(Keywords,"Audit Success"))) as Success by minute username
| where Failed>=2
| stats dc(username) as Total by minute
| where Total>3
有没有什么更好的方法可以为用户找到失败的登录尝试,然后成功登录?