text code block:`cisco_asa` message_id IN (113006) | rex "locked out on exceeding '(?<attempts_count>\d+)' successive failed authentication attempts" | rex "User '(?<user>[^']+)' locked out" | eval failure_description="locked out on exceeding " . attempts_count . " successive failed authentication attempts" | fillnull | stats earliest(_time) as firstTime latest(_time) as lastTime values(message_id) as message_id values(failure_description) as failure_description by host user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_asa___user_account_lockout_threshold_exceeded_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).