Hi,
we are using Enterprise Security. The problem is that we have a few hosts where all the employees login and many machines where only a handful of people login. Therefore we have many failed logins on the main machines with many notable events which basically aren't notable events.
Question
My question: Is there a way to alter the extreme search so that it uses a context which is host dependent i.e. dependent on the overall logins? Or do I need to write a new correlation searches which basically compare the total logins of a machine to the failed logins? Whats the best approach?
Correlation Search
| datamodel("Authentication","Authentication")
| stats values(Authentication.tag) as tag,values(Authentication.app) as app,count(eval('Authentication.action'=="failure")) as failure,count(eval('Authentication.action'=="success")) as success by Authentication.src | drop_dm_object_name("Authentication")
| search success>0 | xswhere failure from failures_by_src_count_1h in authentication is above medium | settags("access")
Logins per host
I learned that by default the context has only one class default. In order to get less notable events I have to create the same context with src classes. Then it works.
Have you seen this great tutorial on Extreme Search by the inimitable George Starcher? While I know it's not an answer directly, I think it could be of great use in helping to find an answer.