index=* sourcetype=linux_secure tag=authentication action="failure" OR action="success" | bucket span=5m _time|
| streamstats count(eval(match(result_login,"success"))) AS sessionID BY user
| stats count AS action_count first(result_login) AS last_action range(_time) AS duration first(_raw) AS final_success last(_raw) AS first_failure BY user sessionID
| eval action_count = action_count - if((action="success"), 1, 0)
| search action_count>=4 AND last_action="success"AND sessionID=1
I have removed " reverse" , otherwise it looks at the events from latest date to earliest, I have added " bucket span=5m _time to look for events within 5 minutes span .
Also added sessionID=1 , otherwise the query counts after success event for another failure until it sees a second or even more successes ,
the queury looks very good, but still have to test it extensively , just wondering if the bucket span is fine,
but so far it looks good, thank you very much for your input, highly appreciated
... View more