Herres one for username guessing attacks I put on gosplunk. In particular check the 2nd line.
| bin _time span=5m as minute
Try tweaking the timer as seen in the SPL. If youre analysing if it takes someone less than a minute to guess wrongly 4 times then theyre a terrible brute forcer.
Doing it in 5 minute blocks may help suppress some of those false positives.
https://gosplunk.com/detect-username-guessing-brute-force-attacks/
sourcetype=windows EventCode=4625 OR EventCode=4624
| bin _time span=5m as minute
| rex "Security ID:\s*\w*\s*\w*\s*Account Name:\s*(?<username>.*)\s*Account Domain:"
| stats count(Keywords) as Attempts,
count(eval(match(Keywords,"Audit Failure"))) as Failed,
count(eval(match(Keywords,"Audit Success"))) as Success by minute username
| where Failed>=4
| stats dc(username) as Total by minute
| where Total>5
... View more