one idea for detecting a spike or outlier in logons would be to summarize, by user, how often they login.. say # of times a week or day.. you could try for hour but you'll likely get a lot of noise..
start with something like
'index=<security> sourcetype=<logins> |bin span=1d _time | stats count by <user> _time'
Then summary index this data over a recurring period to be able to detect outliers. - try the |collect command
Now apply the standard deviation method of detecting outliers - essentially check if the sample is some standard devs from the mean.
The MLTK toolkit has some fun features for this, some math behind it is:
mean logins by user
calculate standard deviation
test for : (logins < (mean + 2 standard deviations) )
if true - this is technically an outlier. you can adjust your standard deviation to experiment
Then schedule this search to run over a time period and create an alert if there are results.. or to send you a report
I would check out the MLTK though, lots of great stuff in there.. Security Essentials has a user case for this as well
... View more