The OUTPUT FIRST syntax should be used along with the GROUP BY
statement, so that the alert suppression works independently for every
different group. For example, in your case I would try something like
this, grouping by user_dst, alias_host or even...
Another option is to use EPL time window to trigger 1 alert every X
time, and combine it with the oneInSeconds syntax, for example:
@RSAAlert(oneInSeconds=60, identifiers={"ip_src"})
@Hint('reclaim_group_aged=120') SELECT * FROM Event( /* Statement: ...
Hi Ahmad, If you want to detect 7 login failures from the same user then
your syntax is almost right, you just need to remove the unique clause:
SELECT * FROMEvent((ip_src NOT IN ('x.x.x.x'))ANDmedium =
32ANDec_activity = 'Logon'ANDec_theme = 'Authen...
Hi Maximiliano, How about this one?: SELECT window(*) FROM Event(
device_class = 'Web Logs' AND ( result_code LIKE '4%' OR result_code
LIKE '5%' )).std:groupwin(ip_dst).win:time(300 sec)GROUP BY ip_dst
HAVING COUNT(result_code) >= 20OUTPUT FIRST EVER...
Hi, ESA Primary is just the one that holds: - the alerts mongo database
(contains alerts/incidents that have triggered on any ESA) - the Context
Hub service (there can only be 1 context hub and it must be installed in
the ESA Primary) You can only ha...
