Hi All, I've been working on a search that will give me the Account_Name of someone who has failed to login 6-10 times concurrently. I'm running into an issue where i'm seeing the accurate results when specifying 1-2 Account_Names in the query. When i try to open it up to any Account_Name i'm getting no results returned. Im dealing with a very large sourcetype and im wondering if there might be some kind of streamstats limit being reached preventing results? I'm not too familiar with the streamstats command but believe im using it correctly judging by the refined search and accurate results. My ultimate goal would be to incorporate the concurrent count into the last query listed below. Any advice/help would be appreciated. Search Returning Results (Accurate): | from datamodel:Authentication | search sourcetype="graylogwindows:Security" (EventCode=4624 OR EventCode=4625) (Account_Name=User1 OR Account_Name=User2) NOT (Account_Name="*$" OR Account_Name="HealthMailbox*") | eval LoginAttemptResult=if((action="failure" OR EventCode=4625), "FAILED", "SUCCESSFUL") | streamstats count(eval(LoginAttemptResult="FAILED")) AS ConcurrentFailed BY Account_Name reset_before=signature_id=4624 reset_after=signature_id=4624 | where ConcurrentFailed >= 6 AND ConcurrentFailed <= 10 | sort Account_Name _time |table Workstation_Name,_time,signature,signature_id,Account_Name,ConcurrentFailed Search Returning Nothing: | from datamodel:Authentication | search sourcetype="graylogwindows:Security" (EventCode=4624 OR EventCode=4625) NOT (Account_Name="*$" OR Account_Name="HealthMailbox*") | eval LoginAttemptResult=if((action="failure" OR EventCode=4625), "FAILED", "SUCCESSFUL") | streamstats count(eval(LoginAttemptResult="FAILED")) AS ConcurrentFailed BY Account_Name reset_before=signature_id=4624 reset_after=signature_id=4624 | where ConcurrentFailed >= 6 AND ConcurrentFailed <= 10 |table Workstation_Name,_time,signature,signature_id,Account_Name,ConcurrentFailed | sort Account_Name _time Ultimate goal to get functioning (everything functioning other than streamstats "Failure_Count"): | from datamodel:Authentication | search sourcetype="graylogwindows:Security" (EventCode=4624 OR EventCode=4625) NOT (Account_Name="*$" OR Account_Name="HealthMailbox*") | reverse | streamstats count(EventCode) as "Failure_Count" BY Account_Name reset_after=EventCode="4624" reset_before=EventCode="4624" | stats count(Keywords) as Attempts, count(eval(match(Keywords,"Audit Failure"))) as Failed, count(eval(match(Keywords,"Audit Success"))) as Success, values(Failure_Count) as "Failure_Count_Values" by Account_Name | where Attempts>=1 AND Success>=1 AND Failed>=6 AND Failure_Count_Values > 6....
... View more