2018-06-28 10:16 AM
Its possible to create a threshold for a specific user in a ESA rule?
We have a user that trigger many alerts For Brute Force Logins due to a misconfiguration her computer and OS. Our clients know that and are aware of the situation. So i contact with them came up an idea for creation of threshold for her.
For her user it only generates an incident/alert if its the 2.000 time it fails login for example...
Its possible to do that and where can we create the threshold?
2018-07-22 07:08 AM
Hi,
this can be achieved using the EPL function "firsttime" which will take the first event only and ignores the rest in this window.
more info can be found here http://esper.espertech.com/release-6.1.0/esper-reference/html/epl-views.html#view-win-firsttime
you can also use "first every x min" as this KB 000031897 - Example Advanced ESA Rule which shows suppression on multiple variables in RSA Security Analytics
more on EPL site as well here http://esper.espertech.com/release-6.0.1/esper-reference/html/appendix_outputspec.html (A.2.4. Output Rate Limiting - First)
an example can look like this
@RSAAlert
SELECT window(*) FROM Event
(
device_type='snort'
AND ip_dstport=137
).win:time(60 sec)
GROUP BY ip_src
HAVING count(ip_dst) > 3
output first every 30 min;
Akram