I'm testing a modified Security Essentials Basic Brute Force Detection search. When I run the search portion, I get plenty of results with Audit Success. But when I include the stats portion, only Failures are returned. Am I missing something here?
index=wineventlog source=WinEventLog:Security OR tag=authentication AccountName=* AccountName!=""
| stats count(eval (Keywords="Audit Success")) as Successes count(eval(Keywords="Audit Failure")) as Failures by SourceNetworkAddress | where Successes>0 OR Failures>0
The "Keyworks" field is not the correct field to use (this field is pretty much useless and just indicates that logging was successful). You should instead have an "action" field that indicates if the login was successful or not.