I would like to create a rule where I can detect brute force attack
For example: in
logon-failed, aggregation by
user.name , and if it's more than 10, it creates an alerts
My problem, is that I don't know how to make the aggregation by
Could you tell me please which type of rule I can use, and is it possible to make aggregation or I can just do it by using watcher script
Thanks for your help !