I am trying to make a query to drill down the brute force login events. The condition for the brute force event is 20 failed logins within a period of 60 seconds. I'm trying something like this
event.cat.name='User.Activity.Failed Logins' && duration.str = '60'
but of no results. Can somebody help me to make build such a query? Also it would be nice if you provide some references for mastering the query making.
Thanks in advance,