Greetings, @filip.wozniak! You're definitely on the right track. Your custom query can just be
event.code:"4625" ... you can remove the
@timestamp portion of the query and configure that below in Step 3 (Schedule Rule).
For this particular use case, you want to group by the username and look for
>= 5 occurrences in the time range. So your
Group by looks correct and you'd want to set a
Threshold value of
You do not need anything in the
Unique values inputs. Those are used for cases when you're looking for high-cardinality fields, not for cases like this where you're just counting events that occur over a time period. For instance, if you only wanted to look for users that failed to login 5 times, but from more than 1 IP address, you could use
Count: source.ip with
>= 1 Unique Values.
Finally, set your rule interval to 5 minutes. The
additional look-back time configuration parameter is there to add a buffer to your time window to ensure that events are never missed (but if you tweak it too high, you can get false positives). For example, to ensure that you never miss a hit due to the timing of the rule run, you'd need to set
Additional look-back time to 5 minutes as well, although you may end up with some threshold hits that occurred over a greater time window than 5 minutes.
To summarize, for this particular use case, the below configuration should work for you:
Custom query: event.code:"4625"
Group by: winlog.event_data.AccountName
Unique values: <empty>
Runs every: 5 minutes
Additional look-back time: 0-5 minutes (5 to err on the side of false positives, 0 to err on the side of false negatives)
Hope this helps, and thanks so much for posting!