Hi @gcusello 

I tried your query it is working I have one more question I want to keep like 10 unsuccess login within 30mins and it login 

Thanks 

Hi @debjit_k,

you can insert the different trheeshold in the main search and manage the 30 minutes in the stats command:

index=wineventlog source=WinEventLog:Security (EventCode=4625 OR EventCode=4624) 
| eval username=mvindex(Account_Name, 1) 
| bin span=30m _time
| stats 
   count(eval(EventCode="4625")) AS Failed
   count(eval(EventCode="4624")) AS Success 
   earliest(_time) AS earliest
   latest(_time) AS latest
   by host username 
| eval alert=if(Failed>10, "more_fails", "no_more_fails") 
| where alert="more_fails" AND Success>1 AND latest-earliest<1800
| table _time username host Failed Success alert

Ciao.

Giuseppe

Hi @gcusello 

Thank you so much for your support just one last question I have in my mind.. 

While searching im getting first success full attempt followed by failed attempt but I want to see my failure followed by success.

For example 

10:02 failed 

10:03 failed...

10:35 success 

And I want only 1 successful attempt not multiple success but while running im getting 

Failure 61 success 12 But I want failure 61 and success==1 

Thanks 

Hi @gcusello 

Thank you I have change the query little bit as I was getting no successful attempt also in the table..
But little bit concern with the time span I gave very minimal time to test the query but it is not showing zero events 

For example 

index=sdp_siem_win source=WinEventLog:Security (EventCode=4625 OR EventCode=4624)
| eval username=mvindex(Account_Name, 1)
| stats
count(eval(EventCode="4625")) AS Failed_count
count(eval(EventCode="4624")) AS Success_count
first(eval(if(EventCode="4624",strftime(_time,"%Y-%m-%d %H:%M:%S")." "."Success",""))) AS Success
values(eval(if(EventCode="4625",strftime(_time,"%Y-%m-%d %H:%M:%S")." "."Failed",""))) AS Failed
earliest(_time) AS earliest
latest(_time) AS latest
by host username
| eval alert=if(Failed_count>5, "more_fails", "no_more_fails")
| where alert="more_fails" AND Success_count>0
| table username host Failed Failed_count Success alert
| search Success!=""

The above query showing the result but if I time time function then it is showing 0 result 

index=sdp_siem_win source=WinEventLog:Security (EventCode=4625 OR EventCode=4624)
| eval username=mvindex(Account_Name, 1)
| bin span=2m _time
| stats
count(eval(EventCode="4625")) AS Failed_count
count(eval(EventCode="4624")) AS Success_count
first(eval(if(EventCode="4624",strftime(_time,"%Y-%m-%d %H:%M:%S")." "."Success",""))) AS Success
values(eval(if(EventCode="4625",strftime(_time,"%Y-%m-%d %H:%M:%S")." "."Failed",""))) AS Failed
earliest(_time) AS earliest
latest(_time) AS latest
by host username
| eval alert=if(Failed_count>5, "more_fails", "no_more_fails")
| where alert="more_fails" AND Success_count>0 AND latest-earliest<120
| table username host Failed Failed_count Success alert
| search Success!=""

Can you please guide me where I get wrong 

Thanks 

Hi @gcusello 

Sorry for my inconvenience to you.. 

I'm looking like 

If (Last failed login)-(log in) is < 30 min it will triggered 

Suppose 

Last fail log in is 10:05 

Success full login at 10:25 

If the time gap between them is less than 30 mins then it should triggered and alert..

Thank

Hi @gcusello ,

While running your query im getting the below error 

Error in 'stats' command: You must specify a rename for the aggregation specifier on the dynamically evaluated field 'count(eval(EventCode="4625"))'.

Can you please guide me what's the issue 

Thanks

Hi @debjit_k,

sorry, I did a mistake, please try this:

index=wineventlog source=WinEventLog:Security (EventCode=4625 OR EventCode=4624) 
| eval username=mvindex(Account_Name, 1) 
| stats 
   count(eval(EventCode="4625")) AS Failed
   count(eval(EventCode="4624")) AS Success 
   by host username 
| eval alert=if(Failed>3, "more_fails", "no_more_fails") 
| where alert="more_fails" AND Success>1 
| table _time username host Failed Success alert

Ciao.

Giuseppe