Hi Team,
I want to create a report of excessive failed login users who have more than 5 failed login attempts from an app.
Thanks
Dawood
| tstats count as failedLogins where (index=yourAuthIndex action!=success earliest=-4h latest=-1h) by user|where failedLogins>5
You may need to change the fields and times to suit your needs.
| tstats count as failedLogins where (index=yourAuthIndex action!=success earliest=-4h latest=-1h) by user|where failedLogins>5
You may need to change the fields and times to suit your needs.
Hi @DawoodUlex try something like this:
...<your search for failed logins>|stats count as failedLogins by user|where failedLogins>5
I am using tstat and it is showing data from very beginning i.e. 2017.