LogScale groupBy returning no results unless I pre-filter by username. Aggregation limit?
I’m running into something in Falcon LogScale that is affecting my confidence in some environment-wide hunting queries.
I’m trying to detect repeated failed authentication attempts from the same source IP against many hosts, while targeting only a single account within a 10-minute window.
Query:
| #event_simpleName=UserLogonFailed2 RemoteAddressIP4!=""
| ts_cur :=@timestamp - (@timestamp % 600000)
| timestamp :=@timestamp
| HumanTime := formatTime("%Y-%m-%d %H:%M:%S.%L", field=timestamp, locale=en_US, timezone=Z)
| groupBy([RemoteAddressIP4,ts_cur], function=([count(UserName, as=user_count, distinct=true),count(#event_simpleName, as=failed_count, distinct=false), count(ComputerName, as=target_count, distinct=true), collect([HumanTime, ComputerName, UserName, #event_simpleName],limit=10)]),limit=50000)
| user_count < 2 and failed_count > 100 and target_count > 100
This returns no results across the full environment.
However, if I add a first line filtering for a username that I already know matches the criteria, the exact same aggregation returns the expected hits:
| user_adam
| #event_simpleName=UserLogonFailed2 RemoteAddressIP4!=""
| ts_cur :=@timestamp - (@timestamp % 600000)
| timestamp :=@timestamp
| HumanTime := formatTime("%Y-%m-%d %H:%M:%S.%L", field=timestamp, locale=en_US, timezone=Z)
| groupBy([RemoteAddressIP4,ts_cur], function=([count(UserName, as=user_count, distinct=true),count(#event_simpleName, as=failed_count, distinct=false), count(ComputerName, as=target_count, distinct=true), collect([HumanTime, ComputerName, UserName, #event_simpleName],limit=10)]),limit=50000)
| user_count < 2 and failed_count > 100 and target_count > 100
So the data exists, but the environment-wide aggregation does not surface it.
My assumption is that I may be hitting a `groupBy()` limit/cardinality issue rather than a true “no results” condition.
Questions:
- Is this expected behavior when `groupBy([RemoteAddressIP4, ts_cur], limit=50000)` has too many candidate groups?
- Can LogScale silently drop candidate groups before the final `user_count < 2 and failed_count > 100 and target_count > 100` filter is applied?
- What is the recommended pattern for this type of detection at scale?
This is important because the scoped query proves the activity exists, but the broad query misses it.