Hey @samkamiya
Instead of using Securioty Analytics have you tried to use the Alerting and create a monitor for login failure.
Perhaps something like this…
{
"name": "Failed Logon",
"type": "monitor",
"monitor_type": "query_level_monitor",
"enabled": true,
"schedule": {
"period": {
"unit": "MINUTES",
"interval": 1
}
},
"inputs": [
{
"search": {
"indices": [
"winlogbeat"
],
"query": {
"size": 500,
"query": {
"bool": {
"filter": [
{
"match_all": {
"boost": 1
}
},
{
"match_phrase": {
"event.original": {
"query": "An account failed to logon",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
},
{
"match_phrase": {
"event.code": {
"query": "4625",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
},
{
"exists": {
"field": "winlog.channel",
"boost": 1
}
},
{
"exists": {
"field": "winlog.event_data.TargetUserName",
"boost": 1
}
},
{
"exists": {
"field": "host.name",
"boost": 1
}
},
{
"exists": {
"field": "event.outcome",
"boost": 1
}
},
{
"range": {
"@timestamp": {
"from": "now-10m",
"to": null,
"include_lower": true,
"include_upper": true,
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"version": true,
"_source": {
"includes": [],
"excludes": []
},
"stored_fields": "*",
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
},
{
"field": "event.created",
"format": "date_time"
},
{
"field": "winlog.event_data.ClientCreationTime",
"format": "date_time"
}
],
"script_fields": {},
"sort": [
{
"@timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"aggregations": {
"2": {
"date_histogram": {
"field": "@timestamp",
"time_zone": "America/Chicago",
"fixed_interval": "30m",
"offset": 0,
"order": {
"_key": "asc"
},
"keyed": false,
"min_doc_count": 1
}
}
},
"highlight": {
"pre_tags": [
"@opensearch-dashboards-highlighted-field@"
],
"post_tags": [
"@/opensearch-dashboards-highlighted-field@"
],
"fragment_size": 2147483647,
"fields": {
"*": {}
}
}
}
}
}
],
"triggers": [
{
"query_level_trigger": {
"id": "jpSKaYgBRnO25hGOgKiN",
"name": "User Failed logon",
"severity": "1",
"condition": {
"script": {
"source": "ctx.results[0].hits.total.value > 5\n\n",
"lang": "painless"
}
},
"actions": [
{
"id": "j5SKaYgBRnO25hGOgKiN",
"name": "Failed logon",
"destination_id": "qR9mVYgBRnO25hGO-KYg",
"message_template": {
"source": "Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.\n- Period start: {{ctx.periodStart}}\n- Period end: {{ctx.periodEnd}}\n\n\n{{#ctx.results.0.hits.hits}}\n{{@timestamp}}\n> User: {{_source.winlog.event_data.TargetUserName}} \n> Event: {{_source.winlog.channel}} \n> Host: {{_source.host.name}}\n> Event ID: {{_source.event.code}}\n> Status: {{_source.event.outcome}}\n\n{{/ctx.results.0.hits.hits}}",
"lang": "mustache"
},
"throttle_enabled": false,
"subject_template": {
"source": "User failed to logon",
"lang": "mustache"
}
}
]
}
}
],