AnsweredAssumed Answered

EPL RULE - Lockouts

Question asked by Renato Goncalves on May 18, 2018
Latest reply on Jun 11, 2018 by Renato Goncalves

Hello,

I was trying to build a rule to group by device host and user the multiple account lockouts but after deployed it doesnt work and stays disabled.

 

 

@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})

SELECT * FROM

         Event( ( (ec_subject='User' AND ec_activity='Lockout')

                  OR

                  (device_class = 'Windows Hosts' AND reference_id IN ('4740', '644')) )

                  AND

                  medium = 32

                   AND user_dst IS NOT NULL

                   AND device.host IS NOT NULL

                  ).win:time_length_batch(600 sec, 10) HAVING COUNT(*) = 10; ).std:groupwin(user_dst).win:time_length_batch(60 seconds, 10) GROUP BY user_dst and device.host HAVING COUNT(*) = 10;

 

Can anyone help me?

 

Thanks

Outcomes