Hello,
I am trying to track failed logons followed by a successful one using the transaction command and the following criteria:
Limit the time span to 5 min, add a startswith so each transaction will begin with a logon failure, add an endswith so each transaction will end with logon success and add a | where to find when the eventcount exceeds 3
this is what I have so far
Hi @My,
I don't like transaction command and I use it only when I haven't any other solution.
In your case, you could do this:
index=wineventlog sourcetype=xmlwineventlog:Security EventCode IN (4624,4625)
| stats dc(EventCode) AS dc_eventcode count(eval(EventCode=4625)) AS failed BY user host
| where dc_eventcode>1 AND failed>5
in this way you have the filter for more than 5 failed logins and a successful login grouped for user and host.
Ciao.
Giuseppe
I don't see what's wrong with this, except that I don't understand the "where eventcount >3". Without that I expect that it should give you the right results. Or what is it exactly that you are missing?