Hi I would like to find my Top 10 Failed login when I run this search. What should I add to get the right result? Here is the query I have to far. (this search gives me all the Failed Login, I just need to know how to search for Top command)
eventtype=msad-failed-user-logons | fields src_host,src_ip,src_nt_domain,user | eval src_ip=replace(src_ip,"::ffff:","") | ip-to-host | stats values(src_nt_domain) AS "Domain(s)", count AS Count, values(src_host) AS "Host(s)", values(src_ip) AS "IP(s)", sparkline AS "Failure activity" by user | sort -Count | rename user as "Username"