I have the following search looking for > three login attempts with > 0 successes and two or > failures by user, src, Country, Region, and City which limits me to searching for all five fields.
index="foo" sourcetype="foo:bar" tag=authentication "Primary authentication"
| dedup _time
| iplocation src
| stats count(action) as Attempts, count(eval(match(action,"failure"))) as Failed,
count(eval(match(action,"success"))) as Success
earliest(_time) as FirstAttempt latest(_time) as LatestAttempt by user src Country Region City
| where Attempts>=3 AND Success>0 AND Failed>=2
| eval FirstAttempt=strftime(FirstAttempt,"%x %X")
| eval LatestAttempt=strftime(LatestAttempt,"%x %X")
How would I modify this search to include the values from the src, Country, Region, and City fields but be based on just the user so that I would see events in which a user tried to login from New York and Panama, and China, etc.?
Thx
↧