Splunk: Detect Username Guessing Brute Force Attacks
Informationalsourcetype=wineventlog EventCode=4625 OR EventCode=4624
| bin _time span=5m as minute
| stats count(Keywords) as Attempts,
count(eval(match(Keywords,”Audit Failure”))) as Failed,
count(eval(match(Keywords,”Audit Success”))) as Success by minute user
| where Failed>=4
|stats values(user) AS userlist dc(user) AS Total BY minute
| where Total>5
| eval minute=strftime(minute,”%m/%d/%y %H:%M:%S”)