I'm looking for a query, which looks for successful [ or unsuccessful ] brute force attempts, and then to take the Username that was [ or unsuccessfully/successfully logged in and then automatically return which other (if any) IP's that account was logged into.
Virtual beers and a high five on offer here 😄
index=your_index status=succes OR status=unsuccessful | stats values(srcip) by users status
If you give me sample event and field names associated with it I can give you proper query.
You need to edit these query according to naming of the field names in your data.
Query in original question - hope that this helps!