Hi @fatsug, using my search you can detect bruteforce, using your search you can detect a successful bruteforce that's a subset of my search, if you'r searching only successful bruteforce tries your search is the correct one.. If you want a more complete solution, you could filter results using logfail>3, taking all bruteforce tries, and add an eval condition at the end to display the successful tries, something like this: index="index" (status="logged in" OR (index="index" message="Invalid credentials." status="not logged")) earliest=-10m@m latest="@m"
| eval condition=if(status="logged in","login","logfail")
| stats count(eval(condition="login")) AS login count(eval(condition="logfail")) AS logfail BY ip
| where logfail > 3 AND login > 0
| eval kind=if(login>0,"successful","unsuccessful") Ciao. Giuseppe
... View more