This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
shubhrangshuC
Beginner
Beginner
‎2017-11-03 08:58 AM

Understanding RSA ESA Rule

Hello everyone,

 

Following is the code snippet from an esa rule which triggers an alert on five or more failed logins from a user followed by a successful login and a password change within 5 minutes. This is a RSA Live rule.

 

select * From
Event((ec_activity='Logon' and ec_outcome='Failure' and user_dst IS NOT NULL)
OR(ec_activity='Logon' and ec_outcome='Success' and user_dst IS NOT NULL)
OR (ec_subject='Password' and ec_activity='Modify' and user_dst IS NOT NULL)
).win:time(1200 seconds)
match_recognize (
partition by user_dst
measures F as f_array, S as s, M as m
pattern (F M* F M* F M* F M* F+ M* S+ F* M)
define
F as F.ec_outcome = 'Failure',
S as S.ec_outcome = 'Success',
M as M.ec_activity = 'Modify');

 

I am trying to understand the pattern() under match_recognize(). Kindly help in understanding the pattern.

0 Likes
Reply
1 Reply
shubhrangshuC
Beginner
Beginner
‎2017-11-07 11:58 PM

Any update on this is highly appreciated.

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.