Splunk search for Successful login after 10 failed attemptsCopy
| from datamodel:"Authentication"."Authentication" | search action=failure OR action=success | streamstats window=0 current=true reset_after="(action=\"success\")" count as failure_count by user | where action="success" and failure_count > 10 | stats values(failure_count) as failure_count by user
This Splunk search will search for times that a user successfully logged in to a system after failing 10 times in a row. This search depends on data being normalized to the Common Information Model (CIM) and correctly mapped to the Authentication Data Model.