Hello,
Anyone successfully implement search for 2 failed login followed by a successful login in Windows?
Here is my search but no idea how to specifically filter for failed and successful login event
sourcetype="WinEventLog:Security" | transaction Account_Name Hostname maxevents=3 maxspan=300s
There are few questions raised but seems nothing works.
I don't have ES in front of me, but i believe the "Brute Force Access" (words to that effect) correlation-search looks for "try/fail, try/fail, try/succeed" (within 1 day if memory serves, but could be wrong..) no matter if it's Windows or anything else, and it's also built into ES.
ES does it via tags and CIM knowledge provided in the apps/TA's.
Hope it helps.
Try this (please verify rex for "status" field)
sourcetype="WinEventLog:Security" | rex "(?<Status>Success|Fail") | bin span=5m _time | stats list(Status) as Status by _time Hostname Account_Name | where mvindex(Status, 0)="Fail" mvindex(Status, 1)="Fail" mvindex(Status, -1)="Success | ...