Hi,
anybody can explained to me this rule of profiler config please ?
{
"profile": "failed-logins",
"foreach": "user.name <http://user.name>",
"onlyif": "source.type == 'activedirectory' and event.type ==
'failed_login'"
"init": { "count": 0 },
"update": { "count" : "count + 1" },
"result": "count"
}
what is "source.type == 'activedirectory' and event.type ==
'failed_login'" means?
does it means the profiler will read from ES index that have condition
source.type == 'activedirectory' . if yes, so i must index to ES first
where source type = activedirectory ?
I've just read on Nick article here :
https://www.slideshare.net/NickAllen4/apache-metron-profiler
In the other rules config there are "source.type == 'yaf'" ,
"source.type == 'bro'". What i know that "source.type == 'yaf'" &
"source.type == 'bro'" have indexed by default on metron. how about
activedirectory?
Best Regards,