Hello,
I do a alarm that detects 10 logins in one minute, but i need to detect this 10 logins from the same ip in 1 minute.
How it´s possible to delimitate of only one ip source in my search?.
Best Regards.
Hello,
I put this
index="windows" TaskCategory=Logon Keywords="Audit Failure"
| streamstats count BY Source_Network_Address
| where count>=10
But in the alert didn´t did that search with the same IP.
For example if i have 10 failure logins with the ip x.x.x.x in 1 minute the alert should detonate
Now my alert did the following
10 failure logins with the ip x.y.z.s, x.x.x.x, x.r.d.t... etc in one minute
Like this:
Your Base Search Here | streamstats time_window=1m count BY ip_field_name
| where count>=10