I want to create a correlation rule on my log decoder to find failed RSA
authentications from 1 source using multiple user IDs within 5 minutes.
Here's what I've got for my correlation rule: Condition:
event.cat.name=auth.failures && device.type=rsaa...