Hi,
Still not sure on the '_time span=5s' element of the following search. The goal is to alert when a source device fails
to login to greater than 10 destinations in a 5 second period. If I run this search over say, 7 days, I get failed logins
from the same source device to multiple destinations but they are spaced out over a much greater time period than the 5 seconds
Im looking for.
Any thoughts?
| tstats summariesonly count from datamodel=Authentication where nodename=Authentication.Failed_Authentication
by "Authentication.src","Authentication.dest", "Authentication.src_user" _time span=5s
| rename "Authentication.src" as "Source_Device", "Authentication.dest" AS "Destination"
| stats dc(Destination) AS Total_Dest, values(Destination) AS List_Destinations, by Source_Device,
| where Total_Dest > 10
... View more