I have already added a time field (10 minutes), but it seems this query searches in the given timeframe and looks for the total failed and one successful event, without taking the time sequence in which order they came.
for example, I run the query and see users who have logged in this sequence:
1. failure
2. success
3. failure
4. failure
5. failure
6. failure
The query should only look for the first 5 failed loggings followed by a successful, but
it looks in total of loggings within a timeframe
wonder if this is easy to do with the enterprise security app, there you do have brute force queries but none of them contain the successful brute force attacks
... View more