Splunk search for Successful login after 10 failed attempts
Copy
| from datamodel:"Authentication"."Authentication"
| search action=failure OR action=success
| streamstats window=0 current=true reset_after="(action=\"success\")" count as failure_count by user
| where action="success" and failure_count > 10 | stats values(failure_count) as failure_count by user
This Splunk search will search for times that a user successfully logged in to a system after failing 10 times in a row. This search depends on data being normalized to the Common Information Model (CIM) and correctly mapped to the Authentication Data Model.