AnsweredAssumed Answered

Need Help regarding a query.

Question asked by RSA Admin Employee on Sep 12, 2015
Latest reply on Sep 16, 2015 by RSA Admin

Hi,

 

I am trying to make a query to drill down  the brute force login events. The condition for the brute force event is 20 failed logins within a period of 60 seconds. I'm trying something like this


event.cat.name='User.Activity.Failed Logins' && duration.str = '60'


but of no results. Can somebody help me to make build such a query? Also it would be nice if you provide some references for mastering the query making.

 

Thanks in advance,

 

Mathews

 

 



Outcomes