HI,
I need to upgrade my correlation search for Excessive Failed Logins with Username,
| tstats summariesonly=true values("Authentication.tag") as "tag",dc("Authentication.user") as "user_count",values("Authentication.user") as "usernames", dc("Authentication.dest") as "dest_count",count from datamodel="Authentication"."Authentication" where nodename="Authentication.Failed_Authentication" by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authentication.src" as "src" | where 'count'>=6
I would like the query to trigger only when there is a Successful Authentication after 6 failed authentication
thank youu
... View more