We are attempting to create an alert that would find login failures based on IP addresses. In the alert we would like to know how many servers(beyond 2) the IP is failing on as well as how many total failures across all servers the IP has gotten. We have a search and a lookup table that gets us the IP addresses and how many failures they have on each individual server. We are looking to simplify this to one line per IP with just the IP, the sum of their failures across all servers, and the number of servers they are failing on. Our search is basically something like:
| parse ip_address
| parse server
| count ip_address, server
This populates our table and then we need to query the table and ask both:
| sum(_count) by ip_address
| count_distinct(server) by ip_address
| where _count_distinct >=2
Both of these queries need to be combined into one alert that we can then send one alert. We can send these separately without issue but we would like them to be consolidated.
Please sign in to leave a comment.