tstats and _time span

Path Finder


Still not sure on the '_time span=5s' element of the following search. The goal is to alert when a source device fails
to login to greater than 10 destinations in a 5 second period. If I run this search over say, 7 days, I get failed logins
from the same source device to multiple destinations but they are spaced out over a much greater time period than the 5 seconds
Im looking for.

Any thoughts?

| tstats summariesonly count from datamodel=Authentication where nodename=Authentication.FailedAuthentication
by "Authentication.src","Authentication.dest", "Authentication.src
user" time span=5s
| rename "Authentication.src" as "Source
Device", "Authentication.dest" AS "Destination"
| stats dc(Destination) AS TotalDest, values(Destination) AS ListDestinations, by SourceDevice,
| where Total
Dest > 10

Tags (1)

Re: tstats and _time span


Try with this.

| tstats summariesonly=true  count from datamodel=Authentication where nodename=Authentication.Failed_Authentication 
by "Authentication.src","Authentication.dest", "Authentication.src_user",_time 
| rename "Authentication.src" as "Source_Device", "Authentication.dest" AS "Destination" 
| timechart span=5s dc(Destination) AS Total_Dest, values(Destination) AS List_Destinations | where Total_Dest >1
0 Karma

Re: tstats and _time span

Path Finder

Nope. If I run that over a period of 7 days it just gives me a breakdown by day of destinations where a failed login has occurred. I need something which takes a source address and then calculates where that device has failed to login to move than 10 destinations within a 5 second period and alerts accordingly.

0 Karma