mapped result_code with error_code

cyences_app_for_splunk/default/data/models/Cyences_Authentication.json

@@ -511,30 +511,6 @@
                     "displayName": "org_country",
                     "comment": ""
                 },
-                {
-                    "fieldName": "Result_Code",
-                    "owner": "Authentication",
-                    "type": "string",
-                    "fieldSearch": "",
-                    "required": false,
-                    "multivalue": false,
-                    "hidden": false,
-                    "editable": true,
-                    "displayName": "Result_Code",
-                    "comment": ""
-                },
-                {
-                    "fieldName": "EventCode",
-                    "owner": "Authentication",
-                    "type": "string",
-                    "fieldSearch": "",
-                    "required": false,
-                    "multivalue": false,
-                    "hidden": false,
-                    "editable": true,
-                    "displayName": "EventCode",
-                    "comment": ""
-                },
                 {
                     "fieldName": "_time",
                     "owner": "BaseEvent",
@@ -761,7 +737,7 @@
                     "editable": true,
                     "comment": "",
                     "calculationType": "Eval",
-                    "expression": "coalesce(error_code,Error_Code, \"unknown\")"
+                    "expression": "if((EventCode=4768 OR EventCode=4771), Result_Code, coalesce(error_code,Error_Code, \"unknown\"))"
                 }
             ],
             "constraints": [

cyences_app_for_splunk/default/macros.conf

@@ -1295,14 +1295,14 @@ definition = Authentication.app=*
 iseval = 0
 
 [cs_bruteforce_from_user_additional_filter]
-definition = (Authentication.error_code!="0xC0000071")
-# error_code="0xC0000071" Windows Password Expired events
+definition = (Authentication.error_code!="0xC0000071") (Authentication.error_code!="0x17")
+# error_code="0xC0000071" or "0x17" Windows Password Expired events
 # Apply filter on Authentication.* field (tstats where condition filter format, you can use !=, =, OR and AND condition)
 iseval = 0
 
 [cs_bruteforce_from_source_additional_filter]
-definition = (Authentication.error_code!="0xC0000071")
-# error_code="0xC0000071" Windows Password Expired events
+definition = (Authentication.error_code!="0xC0000071") (Authentication.error_code!="0x17")
+# error_code="0xC0000071" or "0x17" Windows Password Expired events
 # Apply filter on Authentication.* field (tstats where condition filter format, you can use !=, =, OR and AND condition)
 iseval = 0
 

cyences_app_for_splunk/default/savedsearches.conf

@@ -5258,10 +5258,8 @@ display.page.search.tab = statistics
 display.page.search.mode = fast
 request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
-search = | tstats `cs_summariesonly_authentication` count, min(_time) as firstTime, max(_time) as lastTime, values(Authentication.EventCode) as EventCode, values(Authentication.Result_Code) as Result_Code, values(Authentication.signature) as signature from datamodel=Cyences_Authentication where `cs_authentication_indexes` (`cs_o365_login_filter_source` OR `cs_aws_login_filter_source`) Authentication.app!=OktaIM2:log Authentication.user!="*$" Authentication.action="failure" `cs_authentication_app_filter` `cs_bruteforce_from_user_additional_filter` by Authentication.app, Authentication.user, Authentication.src, Authentication.dest \
+search = | tstats `cs_summariesonly_authentication` count, min(_time) as firstTime, max(_time) as lastTime, values(Authentication.signature) as signature from datamodel=Cyences_Authentication where `cs_authentication_indexes` (`cs_o365_login_filter_source` OR `cs_aws_login_filter_source`) Authentication.app!=OktaIM2:log Authentication.user!="*$" Authentication.action="failure" `cs_authentication_app_filter` `cs_bruteforce_from_user_additional_filter` by Authentication.app, Authentication.user, Authentication.src, Authentication.dest \
 | `drop_dm_object_name(Authentication)` \
-| search NOT EventCode IN (4768, 4771) OR NOT Result_Code IN ("0x17") \
-``` Excluding the events of login failure due to password expire ``` \
 | appendpipe \
     [| stats sum(count) as count by app, user, dest \
     | eval new_dest = dest." (".count.")" \
@@ -5308,10 +5306,8 @@ display.page.search.tab = statistics
 display.page.search.mode = fast
 request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
-search = | tstats `cs_summariesonly_authentication` count, min(_time) as firstTime, max(_time) as lastTime, values(Authentication.EventCode) as EventCode, values(Authentication.Result_Code) as Result_Code, values(Authentication.signature) as signature from datamodel=Cyences_Authentication where `cs_authentication_indexes` `cs_o365_login_filter_source` Authentication.app!=OktaIM2:log Authentication.user!="*$" Authentication.action="failure" `cs_authentication_app_filter` `cs_bruteforce_from_source_additional_filter` by Authentication.app, Authentication.src, Authentication.user, Authentication.dest \
+search = | tstats `cs_summariesonly_authentication` count, min(_time) as firstTime, max(_time) as lastTime, values(Authentication.signature) as signature from datamodel=Cyences_Authentication where `cs_authentication_indexes` `cs_o365_login_filter_source` Authentication.app!=OktaIM2:log Authentication.user!="*$" Authentication.action="failure" `cs_authentication_app_filter` `cs_bruteforce_from_source_additional_filter` by Authentication.app, Authentication.src, Authentication.user, Authentication.dest \
 | `drop_dm_object_name(Authentication)` \
-| search NOT EventCode IN (4768, 4771) OR NOT Result_Code IN ("0x17") \
-``` Excluding the events of login failure due to password expire ``` \
 | `cs_user_privilege_mapping(user)` \
 | appendpipe \
     [| stats sum(count) as count by app, src, dest \