We have an immediate need to create a Query that will Help Identify Password Spray Attempts:
I have been trying:
| stats by count src_ip, UserId | where count > 20
Unfortunately this doesn't work - What I need is a way to see
A Single IP Address associated with multiple UserIds or Account_Names
Could somebody be so kind as to help direct me to a relatively easy way to accomplish this task?
Thank You So Very Much
Try:
| stats dc(UserId) AS count_UserId, values(UserId) AS UserId BY src_ip | search count>20
This should show you src_ip values associated with more than 20 UserId values, and which UserId values they are.