On of the ESA alerts that we are using is Failed Logins followed by a sucessful one. Now we are trying to give that information to our client in form os a report, extracted by the reporting engine of ESA.
I included some of the meta that appear in alert and i got this
But the issue is: can i put in this rule the number of times that the user failed the login before the sucessful one, instead of the total of wrong tries?
User, Result, Event Description, IP, Host, Failed Times before sucess
Thanks in advance