Hello.
I have one question regarding metas output in ESA Rule notification(email subject).
I have such rule:
@Name(' domain:{domain} , detector: {alias_host}, source: {host_src}/{ip_src}, Login: {user_dst}')
@Description('---')
@RSAAlert(oneInSeconds = 0)
SELECT *
FROM Event (
/* Conditions Event */
(
medium = 32
AND device_class IN ('Windows Hosts')
AND reference_id IN ('4625')
AND ip_src IS NOT NULL
AND logon_type IN ('3')
)
AND
/* Conditions Codes */
(
result_code IN ('0xc0000064')
OR ('0xc0000064') = ANY(context)
)
AND
/* Conditions to Exclude */
(
AND user_dst NOT LIKE ('%$%')
AND user_dst != ANY(host_src)
)
).win :time_length_batch(120 seconds, 5)
GROUP BY ip_src
HAVING COUNT(*) = 5
OUTPUT all every 120 seconds;
This rule alert generate min 5x failed logon attempts from one source, and theremay be several login names(user.dst).
In @Name(...Login: {user.dst}) notation(it's Email Subject) I want to see all Distinct login names(user.dst)
Is there a way to do it.
Now I can see there only the last user.dst in this sequence in @Name notation.
