I am trying to figure out how to create an alert from unparsed logs.
I am able to create only one single alert per failed authentication.
How can i set it up in a way if the user tries to login 3 times in a row it creates the report/alert?
I tried by doing different things like calculate(count > 3) or other stuff but didnt work for me.
Does somebody have any suggestion?
this form of static threshold alerting is currently not supported as an in product alert. It is technically possible to achieve by writing a script against out log query API.
This functionality is on our radar and we plan to deliver it as an in product feature, hopefully some time next year.
Here is an older post which asked a similar question Question on log search - #6 by david_smith
If you are willing and able to write scripts against the API, I’m happy to share a working example which could be used as a suggestion to tweak and suit your needs. As I mentioned in that previous post.
sorry for the late response.
I’m able to work with API’s. It would be great to get the example.
I sent you the script via email last week, hope it made it to your Inbox @ocoscia
sorry for the late response. I received your mail.
Somehow there is only a .HTM File attached. Was the python script included?
Could have been caught by your email vendor, just resent as a .zip