Hi all, I have the following Correlation Search set up to detect accounts that have been excessively locked out during a short period of time. However, we get many repeat alerts even if the last lockout time is long past (probably because of how it is configured). Is there a way to stop the alerting once the lockouts stop? For example, an account has been locked out an excessive number of times (ie. 10 times); the first time this occurred is on 05/01/2021 at 09:34:03 and the last time is 05/01/2021 at 18:22:08, we would still get alerted days after the fact (ie. 05/05/2021). Correlation Search: Mode: Manual Search: index=wineventlog EventCode=4740 | stats count min(_time) as firstTime max(_time) as lastTime values(dest_nt_domain) as machines by user, signature | `ctime(firstTime)` | `ctime(lastTime)` | search count > 5 Time Range: Earliest Time: -7d Latest Time: -10m@m Cron Schedule: */15**** Scheduling: Continuous Schedule Window: Auto Schedule Priority: Default Trigger Conditions: Trigger alert when: Number of Results is greater than 0 Throttling: Window duration: 1 day(s) Fields to group by: user
... View more
Hi all, A past consultant of ours wrote the following correlation search to detect excessive user account lockouts: index=wineventlog EventCode=4740| stats count min(_time) as firstTime max(_time) as lastTime by user, signature | `ctime(firstTime)` | `ctime(lastTime)` | search count > 5 The results display the following: user signature count firstTime lastTime <user name> A user account was locked out <count> 01/07/2021 07:57:10 01/14/2021 02:56:51 The count above is a total of lockouts from different machines in our environment over a period of time. How can I add an additional column to list the actual machine names causing the lockouts (this data would be taken from the particular field "dest_nt_domain") And is there a better way of doing this? ie) user signature count firstTime lastTime machines <user name> A user account was locked out <count> 01/07/2021 07:57:10 01/14/2021 02:56:51 <computer1>, <computer2>, ...
... View more