I trying to create a custom account lockout alert with the below consideration:
For every user/account that encounters >= 5 lockouts events in 24hrs, an alert will be sent.
something like: where(action=“ACCOUNT_LOCKED”) groupby(target_account) calculate(count>=5) timeslice(1d) //only those account who got >= 5 lockouts should be in scope; for duration lets just say every 24hrs
Is this something that can be readily created in the InsightIDR? Not really that good on query so any suggestions on how to do this is very much appreciated.