Hello,
We use an ES ‘Excessive Failed Logins’ correlation search:
| tstats summariesonly=true allow_old_summaries=true values(Authentication.tag) as "tag",dc(Authentication.user) as "user_count",dc(Authentication.dest) as "dest_count",count from datamodel=Authentication.Authentication where nodename=Authentication.Failed_Authentication by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authentication.src" as "src" | where 'count'>=6
But we would like to add an additional condition to the search, where ‘*signature_id*’ field in **Failed Authentication** data model in not equal to 4771
We tried to add at the end of the search something like `|where signature_id!=4771` or `|search NOT signature_id =4771` but of course it didn’t work because count action happens before it.
Do you have an idea how we can implement that condition?
Thank for the help.
Alex.
↧