I'd like some ideas on alerting when an Active Directory account has a particular # of login failures within a particular amount of time. The premise is to try and send an alert on an account that is about to get locked out.
Is this what you are looking for?
sourcetype="WinEventLog:Security" EventCode=4625 earliest=-15m@m
| eval userfield=mvindex(Account_Name,1)
| stats count as failedlogins by userfield
| where failedlogins > 4
I did the userfield extraction because Account_Name is usually a multivalued field. My demo data has a - in there. To change the time window, modify the earliest=-15m@m in the first line. To change the threshold, modify the where clause.
Is this what you are looking for?
sourcetype="WinEventLog:Security" EventCode=4625 earliest=-15m@m
| eval userfield=mvindex(Account_Name,1)
| stats count as failedlogins by userfield
| where failedlogins > 4
I did the userfield extraction because Account_Name is usually a multivalued field. My demo data has a - in there. To change the time window, modify the earliest=-15m@m in the first line. To change the threshold, modify the where clause.
This is great! Thanks! what if I just wanted to monitor a couple of specific acccounts?
Then you could filter it in the where clause:
| where failedlogins > 4 AND userfield in ("user1","user2")