I would like to clarify.
For example, I am trying to add threshold rule against login failed attempt
If user failes more than 4 times, I should get an alert
From the picture above, I am grouping by "winlolg.event_data.ipAddress(source.ip)" and indicating the threshold to >=4.
Also indicated the count the "winlog.event_data.Substatus(wrong password)" >= 1
I think, should it be vise versa?
I think, the structure of the threshold rule is incorrect.
For example, it should be:
group by "winlolg.event_data.ipAddress(source.ip) >= unique values 1 and
count "winlog.event_data.Substatus(wrong password) " >= threshold 4
Can someone please help the right way?