Hi Shishir, If you useSELECT * FROM event (
).std:groupwin(user_dst).win:time_batch(60 seconds) group by user_dst
having count (user_dst) >= 20; you will get different alerts from
differet use.
Yes, it is possible. You should use .win:time_batch instead of
.win:time_length_batch;Es:@RSAAlert(oneInSeconds=0,
identifiers={"user_dst"})SELECT window(*) FROM Event( medium = 32 AND
ec_activity='Logon' AND ec_outcome='Failure' AND user_dst IS NOT ...
Shure, you have to configure a In_memory tables Alerting: Configure
In-Memory Table as Enrichment Source and you will have to change the
rule:@UsesEnrichment(name=
'SOME_POINTER_TO_A_LIST')@Name('Module_esa000111_Alert')@Description('Detects
logins f...
Hello Renato,to remove a specific user you need to edit (create a new
advanced EPL) 'Logins across Multiple Servers' rule and adduser_dst NOT
IN ('user to remove'). For example:/*Version: 2*/module
Module_esa000111; @Name('Module_esa000111_Alert')@De...