I am trying to craft a search which will display the users who have failed logins more than 2 times against a server.
Below is the search I am using. Need help to include the "greater than 2 events" search.....
sourcetype=wineventlog:security action=failure Source_Network_Address="x.x.x.x" user!=*$ | eval hostname=case(Source_Network_Address == "x.x.x.x", "YYYY") |stats c as "Event Count" values(signature) as "Login Message" values(hostname) as "Source" min(_time) as start max(_time) as stop by user, action | convert ctime(start) | convert ctime(stop)
Have you tried adding this to your search?
... | where "Event Count" > 2