Comments

  1. theCMack

    or do a count by source IP and map them ” | iplocation src_ip | geostats count by src_ip”. See the country of origin for your attacks on a map!

  2. Kamal jeet

    sourcetype=linux_secure
    | rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s\S+\s(?gdm-\w+)\S:\s”
    | search session=gdm-password
    | rex “\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2}\s(?\S+)\s.+\Sgdm-password:auth\S:\s(?\w+\s\w+);\s.+user=(?\S+)”
    | search authstatus=”authentication failure”
    | stats count by username
    | sort – count

Leave A Comment?