AnsweredAssumed Answered

Rule syntax correction needed.

Question asked by 7vSbijPabQ2OIYjqmMWYEsfsFTGf1SZmhQ12kyJYAjo= on Jun 21, 2016
Latest reply on Jun 21, 2016 by 7vSbijPabQ2OIYjqmMWYEsfsFTGf1SZmhQ12kyJYAjo=

We have an alert configured in our environment that is Failed login with success.We want to refine this alert in a way that when multiple users login is failed and other user is success from same host for event 4776 and 4624 Type 2, then only it fires alert.

 

Rule syntax this time

/*

Multiple(here 2 times) Failed Logins for Followed By a Successful Login by the same host within N seconds

*/

module Module_54d82ffaf280bd73e4e2fc22;

 

@Name('Module_54d82ffaf280bd73e4e2fc22_Alert')

@Description('Multiple Failed Logins Followed By a Successful Login within N sec')

@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})

 

SELECT * FROM

Event(

ec_outcome in ('Success', 'Failure')

    AND

ec_activity='Logon'

AND

user_dst IS NOT NULL

).win:time(180 sec)

match_recognize (

partition by host_src or alias_host

measures F as f_array, S as s

pattern (

F F F F F+ S+

)

define

F as F.ec_outcome= 'Failure',

S as S.ec_outcome= 'Success');

 

Kindly help!

Outcomes