I am trying to perform a search in which I return the unsuccessful login attempts per user. In the same alert I put severity, where if only failed attempts were made, the severity is high, but if after those failed attempts there was also a successful attempt, the severity is critical.
The problem is that the alert is not filtering me for the last successful event, but I add all the events, regardless of whether it is successful or failed.
Any suggestions to better arm the alert? I copy the query:
Authentication.EventCode=4768 OR Authentication.EventCode=4771 | transaction Authentication.user maxevents=-1 mvlist=true startswith="failed" | eval Fecha=strftime(_time, "%d/%m/%Y %I:%M:%S %p") | stats First(Fecha) values(host) as Destino values(Authentication.src) as Origen count as "CantIntentos" values(Authentication.action) as Descripcion dc(Authentication.action) as test by sourcetype, Authentication.user | where CantIntentos >50 |eval Severidad=case((test<2 ),"4",1=1, "5") | fields - test
If you were do to a regular search, I would recommend to use a transaction command (staring at the first failure, ending at the latest OR success)
Then exclude the transactions with success, and focus on the others,