I was trying to build a rule to group by device host and user the multiple account lockouts but after deployed it doesnt work and stays disabled.
SELECT * FROM
Event( ( (ec_subject='User' AND ec_activity='Lockout')
(device_class = 'Windows Hosts' AND reference_id IN ('4740', '644')) )
medium = 32
AND user_dst IS NOT NULL
AND device.host IS NOT NULL
).win:time_length_batch(600 sec, 10) HAVING COUNT(*) = 10; ).std:groupwin(user_dst).win:time_length_batch(60 seconds, 10) GROUP BY user_dst and device.host HAVING COUNT(*) = 10;
Can anyone help me?