Hello team,

we like to have an event if 5 times in one minute a login fails, but
only if there is NO success login following.
The alert should only be fired if the user accesses the same target from
any ip.



Code:
--------------------

sequence(filter(
((e.XDASClass = 2) AND (e.XDASIdentifier = 4) AND (e.XDASOutcome = 2)) OR
((e.XDASOutcomeName = "XDAS_OUT_DENIAL")))
flow
trigger(5,60,discriminator(e.TargetUserName)),
filter(e.EventName != "sshd: User authenticated")
flow trigger(1,60,discriminator(e.SourceIP)) ,60)
--------------------


This seems not working.

T.


--
tfechner
------------------------------------------------------------------------
tfechner's Profile: https://forums.netiq.com/member.php?userid=8929
View this thread: https://forums.netiq.com/showthread.php?t=52972