Hi.
My organization is looking at identifying individual users (UserID) who have failed authentication(logon) >5 times per day for >3 consecutive days straight.
I am able to get the individual days failed logins for a particular user, but how do I aggregate them in one search to create an alert?
I am currently using this search for a particular day.
index="myindex" | lookup agentlookup agent_ID as Agent | search Application=* Reponse= Reject |stats count by UserID | where count > 5
How do I extrapolate it to find 3 consecutive days straight?
I have also tried to use
index="myindex"| lookup agentlookup agent_ID as Agent | search Application=* Response= Reject | stats count by UserID | where count > 3 | span=1d count by UserID
to no avail. Have tried reading the documentation, but do not get it.
Thanks in advance for the help!
... View more