@asakhaYou have to adjust your correlation search as per your fields.This is just a reference. Alert when end-users has logged onto the VPN entry point more than 5 times in a day. index=<indexname> sourcetype=<sourcetypename> status=success | stats count by user, _time | bin _time as day | where count > 5 | table user, day, count A fail-to-ban feature of IP address if their login fails more than 3times in 1hr. index=<indexname> sourcetype=<sourcetypename> action=failure | stats count as failed_login_count by src_ip, _time span=1h | where failed_login_count > 3 | table src_ip, _time, failed_login_count | eval ban_message="IP address " . src_ip . " exceeded failed login attempts (" . failed_login_count . ")." Weekly Report of End-Users’ IP Addresses Attempting VPN Logins index=vpn_logs sourcetype="your_vpn_sourcetype" | stats count as login_count by user, src_ip, _time span=1w | table user, src_ip, _time, login_count
... View more