This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Incorrect Login followed by a Sucessful

RenatoGoncalves
Beginner
Beginner

‎2018-03-01 05:40 PM

Hello,

On of the ESA alerts that we are using is Failed Logins followed by a sucessful one. Now we are trying to give that information to our client in form os a report, extracted by the reporting engine of ESA.

 

I included some of the meta that appear in alert and i got this

Captura de ecrã de 2018-03-01 22-29-49.png

 

But the issue is: can i put in this rule the number of times that the user failed the login before the sucessful one, instead of the total of wrong tries?

Something like:

User,                                      Result,               Event Description,        IP,          Host,         Failed Times before sucess

johdone@email.com, unknown username, an account failed to log, 1.1.1.1  hostname1,          3

 

Thanks in advance

0 Likes
0 REPLIES 0
© 2022 RSA Security LLC or its affiliates. All rights reserved.