I am looking to run anomaly detection on failed and successful logons per user per host over a given time frame (7 days with a span of 1 day). My hope is that the search will provide the results of only anomalous counts of logons per user per host. My initial thought was to run a search similar to this:
index=foo (sourcetype=auditd type=USER_AUTH OR type=USER_ERR res=failed op!=password) host=$host_one_at_a_time$ user=$user_one_at_a_time$ | timechart count by logon| anomalydetection
I don't know how to pass one value at a time to a search from a subsearch and would like to keep it automated. Ideally it would distinguish anomalies per host and user, but I would also be okay with just user. The goal is to identify when a user account gets crazy with successful or failed logins.