Hi, I have this rule configured, the objective is to find out multiple login attempts from the same source IP with different users within the time frame.
@RSAAlert(oneInSeconds=0, identifiers={"ip_src"})
SELECT event_time,
ip_src,
country_src,
user_dst,
action,
result,
user_agent
FROM Event(
(device_ip IN ('10.x.x.x') AND isOneOfIgnoreCase(action,{'in','fail'}))
)
.std:groupwin(ip_src)
.win:time(3600 seconds)
.std:unique(user_dst)
group by ip_src
having count(*) >= 2;
We need to generate an alert for every distinct source IP within the time frame.
The rule is generating the alerts correctly but the alert notification is missing the first login within the time window for the same IP. For example:
Window[IP(user1,user2, user3)] ----> Alert[IP(user2,user3)]
Window[IP(user1,user2)] ----> Alert[IP(user2)]
So the question is how can we get the fisrt user in the alert? We are only getting the data from the second user and the next.
The origin of events is a database and the query runs every hour.
