I am trying to do this logic. Each "IF" I can do separately no issue. However, I am not sure how to combine these two searches together as the second search is based off the output of the first.
IF we see more than 10 failed events (1201 OR 1203)
THEN IF we see more than 2 different users
print ForwardedIP
Pipe
IF we see successful events (1200 OR 1202)
Print Usernames
The searches basically consist of
index="auth" EventCode=1201 OR EventCode=1203 | rex "(?[^<]+)" | rex "(?[^<]+)" | stats values(UserId) as UserId by ForwardedIpAddress
And then EventCode 1200 and 1202 for successful auth.
If we see bad auths with multiple users from the same IP, and then we see a successful auth we want to know about it.
Like this:
index="auth" AND (EventCode="1201" OR EventCode="1203" OR EventCode="1200" OR EventCode="1202")
| rex GarbledWhatever
| stats count(eval(EventCode="1201" OR EventCode="1203")) AS failed count(eval(EventCode="1200" OR EventCode="1202")) AS successful values(UserId) AS UserId dc(UserId) AS userCount BY ForwardedIpAddress
| where userCount>2 AND failed>10 AND successful>0
Try something like this
| stats count user_count by UserId, EventCode, ForwardedIpAddress
| eval NEW_FIELD=if(user_count>=2 AND (EventCode=1201 OR EventCode=1202),"Multiple users, same IP","Nothing to see here")
Give map at try.
index="auth" EventCode=1201 OR EventCode=1203 | rex "(?[^\<]+)" | rex "(?[^\<]+)" | stats values(UserId) as UserId by ForwardedIpAddress | map search="search index=auth EventCode=1200 OR EventCode=1202 UserId=$UserId$"
Not a good idea to use map
here.. You're already filtering down the eventcode's in the base of the search and iterating against each user_id field. What happens if there's hundreds of thousands of users? This is going to crush performance and does not scale well. Better approach is to use stats
and pre-process the data and feed that into a conditional statement