Hi,

I have put together a correlation which looks as user account lockouts, and have had it to send an email (using the GUI Adaptive Response Actions).

My issue is that if the correlation detects a single lockout within it's search window, it will generate the email, however, if there are multiple results returned, it fails to send out emails.

Example correlation search:

| tstats summariesonly=true count earliest(_time) as FirstSeen latest(_time) as LastSeen values(All_Changes.src) as Computer values(All_Changes.Account_Management.dest_nt_domain) as All_Changes.Account_Management.dest_nt_domain
    from datamodel=Change 
    where All_Changes.result_id=4740 All_Changes.Account_Management.src_nt_domain=mydomain
    by  All_Changes.Account_Management.src_nt_domain  All_Changes.user All_Changes.result_id All_Changes.result All_Changes.signature 
| eval FirstSeen=strftime(FirstSeen,"%Y-%m-%d %H:%M.%S"), LastSeen=strftime(LastSeen,"%Y-%m-%d %H:%M.%S") 
| rename All_Changes.* as * 
| rename Account_Management.* as * 
| `thales_get_asset(dest_nt_domain)` 
| `get_identity4events(user)`
| table FirstSeen LastSeen src_nt_domain dest_nt_domain user_original user_first user_email Computer result_id result signature count Computer_description Computer_ip Computer_lookup_source Computer_owner

With the Email Adaptive response configured something like so:

To: $result.user_email$

Subject: $name$ - $result.user_original$


Body:

Hi $result.user_first$,

[some explanation stuff here]

Between $result.FirstSeen$ and $result.LastSeen$, your account $result.user_original$ has been locked out $result.count$ times.

These account lockouts occurred on the following systems:

$result.dest_nt_domain$


[blah blah etc]

Any idea what I am doing wrong here, any advice on how to progress, etc?

Cheers,

Sheamus