Been working on a report to show the best data on authentications failed more than ten times in a time span of 10 mins.
Am I headed the right direction? I'm just questioning my count in the table whether or not it is correct:
index=wineventlog action=failure user!=*$ signature!="Kerberos pre-authentication failed" signature!="A Kerberos authentication ticket (TGT) was requested" | eventstats count(user) as failure_count by src_ip | bucket _time span=10m | where failure_count>10 | dedup src_ip |table user user_first user_last signature, src_ip, failure_count | rename user as User, user_first as "First Name" , user_last as "Last Name" , signature as "Failure Reason" , src_ip as "Source IP" , failure_count as Count
Appreciate any and all help.
↧