Following is the code snippet from an esa rule which triggers an alert on five or more failed logins from a user followed by a successful login and a password change within 5 minutes. This is a RSA Live rule.
select * From
Event((ec_activity='Logon' and ec_outcome='Failure' and user_dst IS NOT NULL)
OR(ec_activity='Logon' and ec_outcome='Success' and user_dst IS NOT NULL)
OR (ec_subject='Password' and ec_activity='Modify' and user_dst IS NOT NULL)
partition by user_dst
measures F as f_array, S as s, M as m
pattern (F M* F M* F M* F M* F+ M* S+ F* M)
F as F.ec_outcome = 'Failure',
S as S.ec_outcome = 'Success',
M as M.ec_activity = 'Modify');
I am trying to understand the pattern() under match_recognize(). Kindly help in understanding the pattern.