Hello,
I have a two queries from two DM (Authentication and Change-Analysis).
Task: Basically, I need to exclude the users who have changed the password themselves in the last 3 days for a brute force detection.
I am having hardtime in merge two results from two DM's. The query which is using Authentication DM is grouped src and the other query which is using Change-analysis does not src fieled, but both have "user" field in common. How do I merge them?
can we join these two queries using common field "user" or subsearch?
The below is not the actual working. but it tells that I need to join the subsearch. Please let me know if you still need more clarication on this.
Sample:
| from datamodel:"Authentication"."Authentication"
| search user!=[search index=oswinsec earliest=-72h@h latest=-1h@h tag=account ((EventCode=4723 status=success) OR (EventCode=4738 action=modified)) user!="$" | stats dc(EventCode) as count by user | where count=2 | table user]
| stats count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success by src