Been working on a report to show the best data on authentications failed more than ten times in a time span of 10 mins.
Am I headed the right direction? I'm just questioning my count in the table whether or not it is correct:
index=wineventlog action=failure user!=*$ signature!="Kerberos pre-authentication failed" signature!="A Kerberos authentication ticket (TGT) was requested" | eventstats count(user) as failure_count by src_ip | bucket _time span=10m | where failure_count>10 | dedup src_ip |table user user_first user_last signature, src_ip, failure_count | rename user as User, user_first as "First Name" , user_last as "Last Name" , signature as "Failure Reason" , src_ip as "Source IP" , failure_count as Count
Appreciate any and all help.
Move the bucket to before the eventstas and group eventstats by _time as well. Like this
index=wineventlog action=failure user!=*$ signature!="Kerberos pre-authentication failed" signature!="A Kerberos authentication ticket (TGT) was requested" | bucket _time span=10m | eventstats count(user) as failure_count by _time src_ip | where failure_count>10 | dedup src_ip | table user user_first user_last signature, src_ip, failure_count | rename user as User, user_first as "First Name" , user_last as "Last Name" , signature as "Failure Reason" , src_ip as "Source IP" , failure_count as Count
I think this is close, but comparing my numbers in the count field to raw events it seems way off.
I had been using just stats but needed more info in the table. Heres the stats command I was using that i felt was accurate
Thoughts?
index=wineventlog OR index=cisco_auth action=failure user!=*$ signature!="Kerberos pre-authentication failed" signature!="A Kerberos authentication ticket (TGT) was requested" | stats count by user,signature,src_ip| where count > 10 | bucket _time span=10m |
Here the difference between the two searches..
In the search I provided, the count is grouped by _time (10m increment) and src_ip
and in your search the count is grouped by user, signature and src_ip (more group by fields and no time field)
To check the count, try this search
index=wineventlog action=failure user!=*$ signature!="Kerberos pre-authentication failed" signature!="A Kerberos authentication ticket (TGT) was requested" | timechart span=10m count as failure_count by src_ip