https://community.splunk.com/t5/Splunk-Enterprise-Security/Excessive-Failed-Logins-Correlation-Search/m-p/413621#M4918 <P>Hi guys,</P> <P>Im not sure how to go about this. We currently have the Excessive Failed Logins Correlation Search enabled on our Splunk ES instance. Id like to filter out the accounts with failed authentications that had their passwords recently expire. I tried using map and join to query okta or wineventlog but couldn't figure it out. </P> <P>Below is the default correlation search query. Any ideas?</P> <P>| from datamodel:"Authentication"."Failed_Authentication" | stats values(tag) as "tag",dc(user) as "user_count",dc(dest) as "dest_count",count by "app","src","user","host" | where 'count'&gt;=50</P> Tue, 29 Sep 2020 19:39:36 GMT bbraun 2020-09-29T19:39:36Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Excessive-Failed-Logins-Correlation-Search/m-p/413621#M4918 <P>Hi guys,</P> <P>Im not sure how to go about this. We currently have the Excessive Failed Logins Correlation Search enabled on our Splunk ES instance. Id like to filter out the accounts with failed authentications that had their passwords recently expire. I tried using map and join to query okta or wineventlog but couldn't figure it out. </P> <P>Below is the default correlation search query. Any ideas?</P> <P>| from datamodel:"Authentication"."Failed_Authentication" | stats values(tag) as "tag",dc(user) as "user_count",dc(dest) as "dest_count",count by "app","src","user","host" | where 'count'&gt;=50</P> Tue, 29 Sep 2020 19:39:36 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Excessive-Failed-Logins-Correlation-Search/m-p/413621#M4918 bbraun 2020-09-29T19:39:36Z