AnsweredAssumed Answered

Incorrect Login followed by a Sucessful

Question asked by Renato Goncalves on Mar 1, 2018

Hello,

On of the ESA alerts that we are using is Failed Logins followed by a sucessful one. Now we are trying to give that information to our client in form os a report, extracted by the reporting engine of ESA.

 

I included some of the meta that appear in alert and i got this

 

But the issue is: can i put in this rule the number of times that the user failed the login before the sucessful one, instead of the total of wrong tries?

Something like:

User,                                      Result,               Event Description,        IP,          Host,         Failed Times before sucess

johdone@email.com, unknown username, an account failed to log, 1.1.1.1  hostname1,          3

 

Thanks in advance

Outcomes