AnsweredAssumed Answered

Understanding RSA ESA Rule

Question asked by shubhrangshu C on Nov 3, 2017
Latest reply on Nov 7, 2017 by shubhrangshu C

Hello everyone,

 

Following is the code snippet from an esa rule which triggers an alert on five or more failed logins from a user followed by a successful login and a password change within 5 minutes. This is a RSA Live rule.

 

select * From
Event((ec_activity='Logon' and ec_outcome='Failure' and user_dst IS NOT NULL)
OR(ec_activity='Logon' and ec_outcome='Success' and user_dst IS NOT NULL)
OR (ec_subject='Password' and ec_activity='Modify' and user_dst IS NOT NULL)
).win:time(1200 seconds)
match_recognize (
partition by user_dst
measures F as f_array, S as s, M as m
pattern (F M* F M* F M* F M* F+ M* S+ F* M)
define
F as F.ec_outcome = 'Failure',
S as S.ec_outcome = 'Success',
M as M.ec_activity = 'Modify');

 

I am trying to understand the pattern() under match_recognize(). Kindly help in understanding the pattern.

Outcomes