Threshold rule examples
The following Threshold rule generates a TOO_MANY_AUTH_FAILS event when 10 SNMP_AUTHENTICATION_FAILURE events occur within 120 seconds.
Threshold rule example
threshold too_many_authentication_failures:
SNMP_AUTHENTICATION_FAILURE ($EV)
where [ $EV.status != CLOSED AND $EV.status != BLACKOUT ]
when 10 within 120
{
generate_event (TOO_MANY_AUTH_FAILS, [ mb_object = $EV.snmp_source_addr ]);
}
END
SNMP_AUTHENTICATION_FAILURE ($EV)
where [ $EV.status != CLOSED AND $EV.status != BLACKOUT ]
when 10 within 120
{
generate_event (TOO_MANY_AUTH_FAILS, [ mb_object = $EV.snmp_source_addr ]);
}
END
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*