AnsweredAssumed Answered

Incorrect Login followed by a Sucessful

Question asked by Renato Goncalves on Mar 1, 2018


On of the ESA alerts that we are using is Failed Logins followed by a sucessful one. Now we are trying to give that information to our client in form os a report, extracted by the reporting engine of ESA.


I included some of the meta that appear in alert and i got this


But the issue is: can i put in this rule the number of times that the user failed the login before the sucessful one, instead of the total of wrong tries?

Something like:

User,                                      Result,               Event Description,        IP,          Host,         Failed Times before sucess, unknown username, an account failed to log,  hostname1,          3


Thanks in advance