Correlation searches can run with a real-time or continuous schedule.

• Use a real-time schedule to prioritize current data and performance. Searches with a real-time schedule are skipped if the search cannot be run at the scheduled time. Searches with a real-time schedule do not backfill gaps in data that occur if the search is skipped.
• Use a continuous schedule to prioritize data completion, as searches with a continuous schedule are never skipped.

As excessive failed logins matter most when you hear about them quickly, select a real-time schedule for the search. If you care more about identifying all excessive failed logins in your environment, you can select a continuous schedule for the search instead.

Set a cron schedule to run the search every five minutes.

1. In the Cron Schedule field, type */5 * * * *.
2. For Scheduling, select Real-time.

Optionally, you can set a schedule window and a schedule priority for the search. The schedule priority setting overrides the schedule window setting, so you do not need to set both.

When there are many scheduled reports set to run at the same time, specify a schedule window to allow the search scheduler to delay running this search in favor of higher-priority searches. When detecting excessive failed logins, time matters but there are other searches that are more important so you want to use the automatic setting to rely on the search scheduler.

1. Type a Schedule Window of 0 to not use a schedule window. If you want, type auto to use the automatic schedule window set by the scheduler, or type a number that corresponds with the number of minutes that you want the schedule window to last. For example, type 15 to set a schedule window 15 minutes long.

If this search is more important to run and see results from than other searches, you can change the schedule priority to "Higher" or "Highest" instead of the default. Detecting excessive failed logins is a priority, but not higher than other potential security incidents.

1. Select a Schedule Priority of Default.

You can choose to trigger an alert based on a number of factors associated with the search. By default, the trigger conditions are set to alert you when the number of results is greater than zero. For this search, leave the default value.

Set up throttling to limit the number of alerts generated by your correlation search. By default, each result returned by the correlation search generates an alert. Typically, you only want one alert of a certain type. You can set up throttling to prevent a correlation search from creating more than one alert of a certain type.

1. Type a Window Duration of 1 and select day(s) from the drop-down list to throttle alerts to 1 per day.
2. Type app and src as Fields to group by. You want to select the fields here that you split the aggregates by.

This means that no matter how many Excessive Failed Logins correlation search matches there are in one day that contain the same app and source field values, only one alert is created.

Next Step

Part 5: Choose available adaptive response actions for the correlation search.