1 ACCEPTED SOLUTION
Accepted Solutions
Thanks Lee, It worked, actually in investigation tab its showing as 'n' That's why I put it as 'n'
Hello,
I have another challenge based on same logs above, This looks impossible 
I need to generate an alert or report for IP addresses with ec_outcome = 'Y' && 'N' for a timeperiod say 60 minutes. Basically we need to track IPs from which both success and failed logins have been made on userIDs. We are seeing attempts of 100 plus userIDs from an IP out of which 2-3 are success or the second scenario is usual bruteforce type events.
I tried few queries using advanced as normal queries are not triggering anything
SELECT * FROM Event(
(device_type IN ( 'logsource' ) AND ec_outcome IN ( 'N' , 'Y' )))
.std:groupwin(ip_src).win:time_length_batch(5 Minutes, 10)
.std:unique(device_ip) group by ip_src having count(*) = 10;
SELECT * FROM Event(
/* Statement: logsource Success or Failed Login */
(device_type IN ( 'logsource' ) AND ec_outcome IN ( 'N' , 'Y' )))
.std:groupwin(ip_src)
.win:time_length_batch(5 Minutes, 10)
GROUP BY ip_src
HAVING COUNT(*) >= 10;
SELECT * FROM PATTERN [ every-distinct(ip_src, 60 Minutes)
(
/* Statement: logsource failed event */
e1=Event(device_type IN ( 'logsource' ) AND ec_outcome IN ( 'N' ) )
-> timer:interval(60 Minutes) AND
/* Statement: logsource success event */
e2=Event(device_type IN ( 'logsource' ) AND ec_outcome IN ( 'Y' ) )
)
];
