Link Search Menu Expand Document

Creating an Aggregation Bucket

Adding an Aggregation Bucket

We’re going to create an aggregation bucket called “Office365_FailedLoginStats.” This bucket will aggregate statistics on fields associated with O365 failed login attempts.

To begin, name the rule and, optionally, give it a description to describe its purpose.

In this case, we want to apply this bucket to event data.

After the basic information is filled out, the next step is to set the selection criteria. By default, the “Match ALL” box is checked. This will apply the aggregation to every event. However, for this bucket, we only want to apply the aggregation to O365 failed login events. Unchecking the Match All box reveals the section above.

Once the Match All box is unchecked, click the “+ADD FILTER” button that appears to open this window. There are five filter types: field, entityinfo, regexp, exists, and feed. Field matches values to a key field selected. Entityinfo uses a defined entity list to match multiple values, and potentially translate them as well. Regexp allows you to use a regular expression. Exists determines if the field exists or not.

In this case, we want field. Select/search the desired field from the dropdown, or type it into the box, then add values to the “Match” box.

Once you’ve typed in a match, press enter to add it to the list. Once added, the match will look like this. More matches can continue to be added in this manner. You can also check the “Exclude” checkbox to exclude events with this field value. Once done, press the “SAVE” button to attach this filter to the event bucket.

In this case, we want to make sure the associated O365 operation is “UserLoginFailed.”

We also want to add one more filter to match @sender to the value “office365.” Once we have finished adding filters, we can proceed to the aggregations.

The last step is to create the aggregations. Aggregations allow you to collect data for specified fields for matching events. Click the “+ AGGREGATION” button to open up the window to add an aggregation.

First, select the type of aggregation you want to add. There are four types of aggregations: count, sum, cardinality, and tail. Count keeps a count of how many times each value of the selected field occurs for all of the matching events. Sum keeps a running total of all the values for the selected field. This is useful for quantitative data, such as bandwidth. Cardinality keeps track of each unique value of the selected field.

The aggregation above is a count aggregation for the ClientIP field. This will keep a count of how many times each ClientIP shows up for all the O365 failed login events.

Once you have created all the desired buckets, click the “HISTOGRAM” button to display the histograms for the aggregations, or click “SAVE” to save the bucket.

Clicking the histogram button creates histograms based on current data for the aggregations that were created. The slider bar along the bottom of each histogram allows you to change the search window for the data.

Page last updated: 2021 Oct 18