Detection rule: Failed login attempts

Hi, I've created my own detection rule for employees failed login attempts. It does work but when signal comes to Security -> Detection dashboard, it do not show or
This is screen shot of my rule:

Is there a way to update my rule that it would show or
This is a screen shot of fired signal:


only if you use or in the group by and that is dependant on what you want to do

Usually group by or source.ip (depending on the logs) so that you are looking from multiple failed logins from a device. If you look for multiple failed logins full stop you might lots of failed logins come monday morning at 9am for example. This is more for scatter of user names.

If you group by then your looking more for brute force attempts.

Thank you @probson. I adjusted the detection rule according to your advice and I'll wait for the results.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.