I wanted to go over the following use case idea I had that I’ve been working. Basically, I am looking to gather abnormal failed authentications, for example thousands of failed attempts in a 5 minute period on any given day when normally we see many dozens. i am not getting expected results. Thanks.
| tstats count values(Authentication.action) as Action, values(Authentication.user) as User, values(Authentication.src) as Source, values(Authentication.dest) as "dest" from datamodel="Authentication" where (index=acs Authentication.action!=success by Authentication.user | appendcols [| tstats count from datamodel=Authentication where Authentication.action=failure earliest=-30d latest=now by Authentication.user, _time span=5m | stats mean(count) as mean stdev(count) as stdev] | where count>mean+stdev
... View more