From 13ffb7b83e7d63c43e1d074f4d58ede3eeeb3170 Mon Sep 17 00:00:00 2001
From: Phil Skentelbery <pskentelbery@splunk.com>
Date: Mon, 9 Nov 2020 20:32:20 -0600
Subject: [PATCH] initial commit

---
 failed_login.py  | 29 +++++++++++++++++++++++++++++
 requirements.txt |  3 +++
 2 files changed, 32 insertions(+)
 create mode 100644 failed_login.py
 create mode 100644 requirements.txt

diff --git a/failed_login.py b/failed_login.py
new file mode 100644
index 0000000..2261dc6
--- /dev/null
+++ b/failed_login.py
@@ -0,0 +1,29 @@
+from pprint import pprint
+import socket
+import typer
+from splunklib.client import connect
+import splunklib.results as results
+
+
+def display(response):
+    reader = results.ResultsReader(response)
+    typer.secho("---- Failed Logins ---", fg=typer.colors.MAGENTA)
+    for result in reader:
+        if isinstance(result, dict):
+            login = ("timestamp={2} user={0} src=:{1}").format(result["user"],result["src"],result["timestamp"])
+            typer.echo(login)
+
+def main(host: str = typer.Option(..., prompt=True, help="Splunk hostname"),
+        port: int = typer.Option(8089,help="Splunk REST API port"),
+        username: str = typer.Option(..., prompt=True, help="Splunk username"),
+        password: str = typer.Option(..., prompt=True, help="Splunk password")):
+
+    search = """search index=_audit action="login attempt" info="failed" earliest=-7d@d | table timestamp user src"""
+    service = connect(host=host, port=port, username=username, password=password)
+    socket.setdefaulttimeout(None)
+    response = service.jobs.oneshot(search)
+
+    display(response)
+
+if __name__ == "__main__":
+    typer.run(main)
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..8ffa67b
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,3 @@
+click==7.1.2
+splunk-sdk==1.6.14
+typer==0.3.2