Thx to @richgalloway he provided me the way forward on returning raw events in table format after a search with eventstats:
index=foo
| dedup src
| iplocation src
| eventstats count by _time City src user
| sort -count
| stats values(City) as City, dc(City) as City_Count, values(src) as IP, sum(count) as Total by user
| where City_Count > 3
| sort -Total
Now my question is how do I search for a specified time period, like say five minutes? This search would help me potentially find compromised accounts as I basing it on X amount of logins within Y time
Thx
↧