Hi, I’m still studying and working part-time as a tech. I’m trying to make this work for a school project.
I have configured streams and email settings, and test emails are working properly. I would like to set up a mail alert for one of the streams I created. Specifically, I want to send an alert when a user has 10 failed password attempts threshold for example. The email should contain the username and specify how many failed attempts have occurred.
I’ve spent the whole day on this without being able to make it work.
Could you please help me?
I’m assuming here that you don’t need assistance with the query used in the event definition.
The framework to achieve what you want would start with the aggregation event type. The settings in the below picture should achieve one part of what you after, if anyone with the same username fails login 10 times or over then create alert, grouping by the username allows us to pull the contents of field username into the alert information.
We would still need to create a field within our alert that contains the username from the source message, this is done on the ‘fields’ page of the event definition. See the configuration below, this will pull the username field that we are grouping by from the source message (${source.username}) and into a field within the event also called username. Ensure the ‘Use Field as Event Key’ is ticket and you will see this new field within your email notification under.
Hey, thanks a lot for your answer! I just saw it, and I think I managed to make it work using another method. I’ll share it here. What do you think? I believe it’s working properly !
Assuming the query is looking for the correct event ID then this would throw an alert if three or more instances of a failed login message were ingested with the same username.
