I am attempting to set an alert to monitor for possible password spraying in my AD environment.
I am using windows security event logs and specifically eventcode 4625.
I have created the following search string that does give me a count of events by host, by userid so I can see which hosts are generating failed login events.
sourcetype="WinEventLog:Security" EventCode=4625 src_ip!="127.0.0.1" src_ip!="::1" user!="$"
| lookup dnslookup clientip as src_ip
| stats count as EvtCounts by user, clienthost
| where EvtCounts <= 10
| sort -EvtCounts
| eval EvtCatCnt = user." (".EvtCounts.")"
| stats sum(EvtCounts) as Total_Events, values(EvtCatCnt) as user by clienthost
| sort -Total_Events
| eval clienthost = clienthost." (".Total_Events.")"
| table clienthost, user
I am now trying to limit the results to only show host that have more than 1 user with failed login events. I am not sure how to limit the initial search with a stats count by host, user where count >= 2 and count < 10 then pass those results to another stats count.