I working on a query to pinpoint a login attempt failure on a particular network address.. hence i use a count stat on network address, here is my query
source = "WinEventLog:Security" EventCode="529" | bucket _time span=15m | stats count(Source_Network_Address) as y by _time Source_Network_Address User_Name Workstation_Name Source_Port
however, the result is not as ideal as i want... now seems like it is counting asdasd (userName) where i want the source 10.110.12.143 being count how many time with the bucket of 15 minute regardless on what user_name
so if i do the following
source = "WinEventLog:Security" EventCode="529" | bucket _time span=15m | stats count(Source_Network_Address) as y by _time Source_Network_Address User_Name Workstation_Name Source_Port | search y >3
i only get result from user_name asdasd
Anyone can guide me on this?
time source_network_Address User_Name Workstation_Name Source_Port y
6/25/12 4:15:00.000 PM 10.110.12.143 134 SGVM-QA0012 2149 1
6/25/12 4:15:00.000 PM 10.110.12.143 asdasd SGVM-QA0012 2149 4
6/25/12 4:15:00.000 PM 10.110.12.143 dfsfds SGVM-QA0012 2257 1
6/25/12 4:15:00.000 PM 10.110.12.143 iojioj SGVM-QA0012 2149 1
6/25/12 4:15:00.000 PM 10.110.12.143 kjnhg SGVM-QA0012 2257 1
6/25/12 4:15:00.000 PM 10.110.12.143 rtyjk SGVM-QA0012 2257 1
6/25/12 4:30:00.000 PM 10.110.12.143 admin SGVM-QA0012 2118 1
6/25/12 4:30:00.000 PM 10.110.12.143 admin SGVM-QA0012 2280 1
6/25/12 4:30:00.000 PM 10.110.12.143 hjtyjty SGVM-QA0012 2118 1
As Ayn says, you're complicating it too much. If you only want to find out how many failed login attempts have been made towards this particular host in each 15 minute period, the following should work.
source = "WinEventLog:Security" EventCode="529" Source_Network_Address=10.110.12.143 | bucket _time span=15m | stats count(Source_Network_Address) as y by _time
UPDATE:
Would this be what you want?
source = "WinEventLog:Security" EventCode="529" | bucket _time span=15m | stats count values(User_Name) as y by _time Source_Network_Address
/Kristian
As Ayn says, you're complicating it too much. If you only want to find out how many failed login attempts have been made towards this particular host in each 15 minute period, the following should work.
source = "WinEventLog:Security" EventCode="529" Source_Network_Address=10.110.12.143 | bucket _time span=15m | stats count(Source_Network_Address) as y by _time
UPDATE:
Would this be what you want?
source = "WinEventLog:Security" EventCode="529" | bucket _time span=15m | stats count values(User_Name) as y by _time Source_Network_Address
/Kristian
great!!!
thanks for the update.. it worked now!
see update above. /k
hi,
Thanks for the suggestion..
I got your point.
However, the sample i offer is because i only test on my computer hence the network address is the same..
i require to detect ANY OF network_address, it is not particular 1 address.
But, anyway still thank you for your point.
If you don't want it to split by username, then why are you splitting by username?