(index=* OR index=_*) (((index=azuread )) NOT (action=success user=*$)) | eval action=if(isnull(action) OR action="","unknown",action), app=if(isnull(app) OR app="",sourcetype,app), src=if(isnull(src) OR src="","unknown",src), src_user=if(isnull(src_user) OR src_user="","unknown",src_user), dest=if(isnull(dest) OR dest="","unknown",dest), user=if(isnull(user) OR user="","unknown",user) | rename signature AS Authentication.signature signature_id AS Authentication.signature_id action AS Authentication.action app AS Authentication.app src AS Authentication.src src_user AS Authentication.src_user dest AS Authentication.dest user AS Authentication.user | fields "_time" "host" "source" "sourcetype" "Authentication.signature" "Authentication.signature_id" "Authentication.action" "Authentication.app" "Authentication.src" "Authentication.src_user" "Authentication.dest" "Authentication.user"|search Authentication.signature=UserLoginFailed|
... View more