So I am working a bit with transaction and I am unable to verify how it should work. This is my search:
index = "myintestindex" sourcetype = "WinEventLog:Security" EventCode = 529 OR EventCode = 4625 AND Failure_Reason = "Unknown user name or bad password." | transaction maxspan=10m | table Account_Name, Failure_Reason
What I am looking for is a) to find all those EventCodes and Failure_Reason that happen on 10m span then b) to count that if there is over 3 of them on that specific 10min timespan. I dont want to end the search to Account_Name being allowed (so no failure).
This is on the simplest form and I do not want to do it with alert/reporting - but with a search.
How about this
index = "myintestindex" sourcetype = "WinEventLog:Security" EventCode = 529 OR EventCode = 4625 AND Failure_Reason = "Unknown user name or bad password." | transaction maxspan=10m Account_Name | table Account_Name Failure_Reason duration eventcount | where eventcount>=3
How about this
index = "myintestindex" sourcetype = "WinEventLog:Security" EventCode = 529 OR EventCode = 4625 AND Failure_Reason = "Unknown user name or bad password." | transaction maxspan=10m Account_Name | table Account_Name Failure_Reason duration eventcount | where eventcount>=3
This forks. Thanks!