Threshold rule

Hello everyone

I would like to clarify.

For example, I am trying to add threshold rule against login failed attempt
If user failes more than 4 times, I should get an alert

From the picture above, I am grouping by "winlolg.event_data.ipAddress(source.ip)" and indicating the threshold to >=4.
Also indicated the count the "winlog.event_data.Substatus(wrong password)" >= 1

I think, should it be vise versa?
I think, the structure of the threshold rule is incorrect.
For example, it should be:
group by "winlolg.event_data.ipAddress(source.ip) >= unique values 1 and
count "winlog.event_data.Substatus(wrong password) " >= threshold 4

Can someone please help the right way?

Yep that way makes more sense.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.