I want to create a report that alerts of 7 or more failed TACACS+ authentication attempts in the past 10 minutes. I almost got it working, except the "Total" column adds up every user that failed and totals it next to each username. So, for example, say I have two users: UserA failed 4 times and UserB failed 3 times. The Total column would show as 7 next to both UserA and UserB instead of 4 and 3. Below is my syntax:
index=cisco_ise Protocol=Tacacs AuthenticationResult=Failed Service=Login Type=Authentication | eventstats count as TOTAL_COUNT | stats latest(TOTAL_COUNT) as Total by user | where Total > 6
Try this
index=cisco_ise Protocol=Tacacs AuthenticationResult=Failed Service=Login Type=Authentication | stats count by user | eventstats sum(count) as Total | where Total > 6
Hello there. Didn't work the way I wanted. The search is adding up the count for each user and totaling that up and if it totals to greater than 6 it alerts. For example, one user has 4 failed attempts and the other user has 3 failed attempts. No individual user is over 6 so I wouldn't want it to alert. However, since the total is 7 the search thinks its over 6 so it alerts. How can I make this for greater than 6 for an individual user only?