Streamstats with time_window will meet many of your needs. For example...
2) Find a group of 20 or more failed authentication attempts followed by a Successful authentication, all within 30 minutes of each other. Total Search Window: 24 hours transaction maxspan window: 30 minutes
earliest=-24h "Authentication Failed" OR "Authentication Succeeded"
| eval authfail=if(like(_raw,"Authentication Failed"),1,0)
| streamstats sum(authfail) as authfail by user time_window=30m
| where authfail>=20 AND like(_raw,"Authentication Succeeded")
Note - Specifics of the overall search window are irrelevant to this particular code. If 20 or more authentication failures occur for a single user within the 30m time window then the next success will cause the search to succeed.
Modify the "like" clauses to match your actual success or fail wording, or use any other convenient way of testing the same thing. You should also include the actual field names to make it more efficient.
3) Find a group of 3 or more users attempt to connect on the same host within a 1 hour window.
Total Search Window: 24 hours Transaction maxspan window: 1 hour
This one will catch the 3rd and subsequent failures...
"Authentication Failed"
| streamstats dc(user) as userfail by host time_window=1h
| where userfail > 2
To get all of them, you could run that into a subsearch, format it with the time, and feed it all into a search against the whole set of failures, but there's much easier way. Flip the order around, and the first guy of the three is now the third. Thus, the sum of their numbers in each direction will be four or more.
"Authentication Failed"
| streamstats dc(user) as userfail1 by host time_window=1h
| reverse
| streamstats dc(user) as userfail2 by host time_window=1h
| eval userfail = userfail1 + userfail2
| where userfail>3
... View more