AnsweredAssumed Answered

Create the ESA Rule

Question asked by Susin Kumar on Feb 14, 2017
Latest reply on May 3, 2017 by Anuj Shrivastava

Need to the rule for Multiple failed logons followed by a successful logon by the same public IP using Cisco ASA events.

 

I have developed below query to get only multiple failed  login attempts,

 

---------------------------------------------------------------------------------------------------------------------------------------------------------------

 

SELECT * FROM Event(
/* Statement: CISCOACS */
( event_cat_name .toLowerCase() IN ( 'auth.failures' ) AND device_type .toLowerCase() IN ( 'ciscosecureacs' ) )

)
.std:groupwin(ip_src)
.win:time_length_batch(1 Minutes, 100)
GROUP BY ip_src
HAVING COUNT(*) >= 100;

 

---------------------------------------------------------------------------------------------------------------------------------------------------------------

 

But we need the alert which is getting the successful login after the failed login from same public IP.

Outcomes