Guys, I am trying to specifically see if I can distinguish when the login attempts are coming from an external source. What else can I add to this search?
```| tstats summariesonly=t allow_old_summaries=t prestats=t count(Authentication.user) from datamodel=Authentication where Authentication.action=block* OR Authentication.action=fail* groupby _time span=1h, Authentication.user
| tstats append=t summariesonly=t allow_old_summaries=t prestats=t count from datamodel=Authentication where Authentication.action=success groupby _time span=1d, Authentication.user
| stats count count(Authentication.user) by Authentication.user
| rename count as successes count(Authentication.user) as failures Authentication.* as *
| where successes>0 AND failures>100
| sort - failures
| head```
I also tried the following search, but it didn't work because sometimes the source could be machine name or host name as letters:
NOT (src_ip="10.0.0.0/8" OR src_ip="172.16.0.0/12" OR src_ip="192.168.0.0/16")
Filter on the Authentication.src field, using criteria that make sense for your environment.