Hello,

I am trying to perform a search in which I return the unsuccessful login attempts per user. In the same alert I put severity, where if only failed attempts were made, the severity is high, but if after those failed attempts there was also a successful attempt, the severity is critical.

The problem is that the alert is not filtering me for the last successful event, but I add all the events, regardless of whether it is successful or failed.

Any suggestions to better arm the alert? I copy the query:

Authentication.EventCode=4768 OR Authentication.EventCode=4771  | transaction Authentication.user  maxevents=-1 mvlist=true startswith="failed" | eval Fecha=strftime(_time, "%d/%m/%Y %I:%M:%S %p") | stats First(Fecha) values(host) as Destino values(Authentication.src) as Origen count as "CantIntentos" values(Authentication.action) as Descripcion dc(Authentication.action) as test  by sourcetype, Authentication.user  | where CantIntentos >50 |eval Severidad=case((test<2 ),"4",1=1, "5") | fields - test

Results (Using list for see all events):

sourcetype  Authentication.user First(Fecha)    Destino Origen  CantIntentos    Descripcion Severidad
wineventlog AR029887    20/03/2019 01:10:51 PM  Arsrv203    ::ffff:10.35.124.45 4   failure success failure success failure success failure success 5
wineventlog Ar031546    20/03/2019 01:09:30 PM  ARSRV018    ::ffff:10.70.39.243 1   failure 4
wineventlog ar021387    20/03/2019 01:09:17 PM  ARSRV185    ::ffff:10.17.167.44 4   failure success failure success failure success failure success 5
wineventlog ar027735    20/03/2019 01:11:08 PM  ARSRV018 ARSRV184   ::ffff:10.100.5.10 ::ffff:172.22.20.222 41  failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure failure 4