the rule must generate alerts if there are minimum 5 failed logins(bad password) from Same Source during 120 seconds.
After reading all documentation that I've managed to get, I've wrote next rule:
@RSAAlert(oneInSeconds = 0)
FROM Event (
/* Conditions Event */
device_class IN ('Windows Hosts')
AND reference_id IN ('4625')
AND logon_type IN ('3')
AND ip_src IS NOT NULL
/* Conditions Codes */
result_code IN ('0xc000006a')
OR ('0xc000006a') = ANY(context)
/* Conditions to Exclude */
ip_src NOT IN ('220.127.116.11')
AND user_dst NOT LIKE ('%$%')
GROUP BY ip_src
HAVING COUNT(*) > 4;
So this rule aggregates more than 4 events with unique ip_src in one alert.
It works fine most of time: I get one alert with, for example, 50 events in it with unique ip_src.
But, sometimes(rather rarely) it aggregates two(it's always two, not more) ip_src in one alert and I don't know why.
Is it something in rule logic? Help to clear it out, please.
I think your issue is the time_batch. I would use time_length_batch. Also keep in mind that by adding the logon_type=3 you are limiting this statement to only logins via the network and you are excluding interactive logins.
Hope this helps
I recreated your rule and came up with the following..
/* This basic template is a placeholder for defining basic EPL content that can be installed and executed in ESA. The sample below is the minimum that would be required to get started.
Version: 4.0 */
/* Module debug section. If this is empty then debugging is off. */
/* EPL section. If there is no text here it means there were no statements. */
SELECT * FROM Event( /* Statement: Group */ (device_class IN ( 'Windows Hosts' ) AND reference_id IN ( '4625' ) AND logon_type IN ( '3' ) AND ip_scr IS NOT NULL) AND /* Statement: conditions */ (result_code IN ( '0xc000006a' ) OR ( '0xc000006a' = ANY( context ) )) AND /* Statement: exclude */ (ip_src IN ( '18.104.22.168' ) AND user_dst NOT LIKE ( '%$%' ))
) .std:groupwin(ip_src) .win:time_length_batch(2 Minutes, 4) GROUP BY ip_src HAVING COUNT(*) >= 4;