Hi,
I am trying to make a query to drill down the brute force login events. The condition for the brute force event is 20 failed logins within a period of 60 seconds. I'm trying something like this
event.cat.name='User.Activity.Failed Logins' && duration.str = '60'
but of no results. Can somebody help me to make build such a query? Also it would be nice if you provide some references for mastering the query making.
Thanks in advance,
Mathews
Are you tryng to apply this is in ESA or in normal reporting engine rules?
Regards,
Deepanshu Sood.