✄𐘗
text code block:
✄𐘗from logs-system.auth-* metadata _id, _index, _version

// Create 5-minute time buckets
| eval Esql.time_window_date_trunc = date_trunc(5 minutes, @timestamp)

// Ensure event.action values in a list are expanded
| mv_expand event.action 

| where
  event.category == "authentication" and event.action in ("ssh_login", "user_login") and event.outcome == "failure" and
  source.ip is not null 

// Keep relevant fields
| keep
   @timestamp,
   _id,
   _index,
   _version,
   event.category,
   event.action,
   event.outcome,
   source.ip,
   process.name,
   user.name,
   event.dataset,
   data_stream.namespace,
   agent.id,
   user.id,
   Esql.time_window_date_trunc

| stats
  Esql.event_count = count(*),
  Esql.user_name_count_distinct = count_distinct(user.name),
  Esql.user_name_values = values(user.name),
  Esql.process_name_values = values(process.name),
  Esql.event_dataset_values = values(event.dataset),
  Esql.data_stream_namespace_values = values(data_stream.namespace)

  by Esql.time_window_date_trunc, source.ip

| where Esql.user_name_count_distinct > 10 and Esql.event_count >= 30