I have been trying to figure out a search that can be used to track failed logon events over time but really struggling to identify a workable solution (if there is one). My initial search query was index=wineventlog EventCode=4625 NOT TargetUserName="*$" | eval User=TargetDomainName."/".TargetUserName | transaction User EventCode maxspan=1d | stats values(User) by signature Reading some other threads indicated that the use of 'transaction' isn't very efficient and to use streamstats or eventstats instead so I came up with  index=wineventlog EventCode=4625 NOT TargetUserName="*$" | eval User=TargetDomainName."/".TargetUserName | eventstats sum(User) as Failed_Count by signature | where Failed_Count >=3 | table User signature Failed_Count however this doesn't give me any results. My aim is to search over a 7 day period and shows stats per day for each user by the signature. This would help with identifying bad scripts or possible bruteforce attempts including spray attacks over a long period. ... View more

I have been trying to look at statistical figures for failed login attempts over a 30 day period for each user by the hostname. I can get a table showing every failed attempt but want to condense that down to show a total count of failed attempts and an avg/day, my thinking being that it could be useful to identify attempts to do slow brute forcing from credential stuffing attacks. This is what I have tried so far: index=wineventlog EventCode=4625 | search signature="User name is correct but the password is wrong" | eventstats count(TargetUserName) by hostname as Total_Count | eventstats avg(Total_Count) as Avg_Count | table TargetUserName, hostname, Total_Count, Avg_Count | sort TargetUserName but this ends up giving me the username and hostname but the total and avg fields are blank. Any ideas on how to do this better?   Thanks, Maxy ... View more