We have an alert configured in our environment that is Failed login with success.We want to refine this alert in a way that when multiple users login is failed and other user is success from same host for event 4776 and 4624 Type 2, then only it fires alert.
Rule syntax this time
/*
Multiple(here 2 times) Failed Logins for Followed By a Successful Login by the same host within N seconds
*/
module Module_54d82ffaf280bd73e4e2fc22;
@Name('Module_54d82ffaf280bd73e4e2fc22_Alert')
@Description('Multiple Failed Logins Followed By a Successful Login within N sec')
@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})
SELECT * FROM
Event(
ec_outcome in ('Success', 'Failure')
AND
ec_activity='Logon'
AND
user_dst IS NOT NULL
).win:time(180 sec)
match_recognize (
partition by host_src or alias_host
measures F as f_array, S as s
pattern (
F F F F F+ S+
)
define
F as F.ec_outcome= 'Failure',
S as S.ec_outcome= 'Success');
Kindly help!
