Thanks woodcock, I used "| rex max_match=0 field=_raw "(?)Dest : (?.*)" | table path" in the end, but your suggestion to use "max_match=0" really helps!
... View more
I don't want to see brute force from DC as this is of no use but instead from actual users, I am stuck at place where this extreme search is defined in the rule "xswhere failure from failures_by_src_count_1h in authentication is above medium"
I want to replace this failures_by_src_count_1h from failures_by_user_count_1h but don't have an idea how to change this. Any help in this would be appreciated.
... View more