- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
In order to detect excessive failed logins we use the correlation search below:
| tstats summariesonly=true allow_old_summaries=true values(Authentication.tag) as "tag", values(Authentication.user) as user, values(Authentication.sourcetype) as sourcetype, dc(Authentication.user) as "user_count",dc(Authentication.dest) as "dest_count",count from datamodel=Authentication.Authentication where nodename=Authentication.Failed_Authentication by "Authentication.app","Authentication.src"
| `drop_dm_object_name("Authentication")`
| where 'count'>=6
For some reason it does not return the values of sourcetype and tag fields, it stays empty. There is no issue with other fields like user and dest. A simple |from datammodel:Authentication... search returns all fields' values as well.
Do you have an idea what the issue is caused by and how it could be fixed?
Many thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the common default fields, you would not need to reference the dataset name. You can just use "values(sourcetype) as sourcetype". Same goes with _time, source, and host.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the common default fields, you would not need to reference the dataset name. You can just use "values(sourcetype) as sourcetype". Same goes with _time, source, and host.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great! Thanks for the help!
