Need Help regarding a query.
I am trying to make a query to drill down the brute force login events. The condition for the brute force event is 20 failed logins within a period of 60 seconds. I'm trying something like this
event.cat.name='User.Activity.Failed Logins' && duration.str = '60'
but of no results. Can somebody help me to make build such a query? Also it would be nice if you provide some references for mastering the query making.
Thanks in advance,
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
I guess you are trying this rule in Log decoder correlation option or Rules in reporting section.
If you want real time correlation you should create rules in ESA.
The rules in ESA looks something like this:
SELECT * FROM
event_category_name LIKE '%User.Activity.Failed.logins%'
Thanks for the reply. Co relation rules are already created in ESA but what I am trying is different. Please check the screenshot attached. I am trying to obtain the bruteforce events by applying queries.