I am trying to figure out how to create an alert from unparsed logs.
I am able to create only one single alert per failed authentication.
How can i set it up in a way if the user tries to login 3 times in a row it creates the report/alert?
I tried by doing different things like calculate(count > 3) or other stuff but didnt work for me.
Does somebody have any suggestion?