Hello,
In order to detect excessive failed logins we use the correlation search below:
| tstats summariesonly=true allow_old_summaries=true values(Authentication.tag) as "tag", values(Authentication.user) as user, values(Authentication.sourcetype) as sourcetype, dc(Authentication.user) as "user_count",dc(Authentication.dest) as "dest_count",count from datamodel=Authentication.Authentication where nodename=Authentication.Failed_Authentication by "Authentication.app","Authentication.src"
| `drop_dm_object_name("Authentication")`
| where 'count'>=6
For some reason it does not return the values of sourcetype
and tag
fields, it stays empty. There is no issue with other fields like user
and dest
. A simple |from datammodel:Authentication...
search returns all fields' values as well.
Do you have an idea what the issue is caused by and how it could be fixed?
Many thanks!
For the common default fields, you would not need to reference the dataset name. You can just use "values(sourcetype) as sourcetype". Same goes with _time, source, and host.
For the common default fields, you would not need to reference the dataset name. You can just use "values(sourcetype) as sourcetype". Same goes with _time, source, and host.
Great! Thanks for the help!