Has anybody done much testing with the frequency and timeframe parameters in various rulesets?
I'm trying to get it to work with SSH logins and am having issues. This is in reference to alerts 5712 and 5720 specifically. The SSH server I'm testing this on is pretty busy - I noticed that the rules don't fire very frequently say if I set the frequency to 3 or 4 and the timeframe to 120. I am definitely failing 3-4 times within the 120 seconds but the alerts are not triggering. I currently have this setup in server-agent mode and previously had it working in local mode. Is there a limitation that the same message must be repeated 3-4 (or whatever I set the freq to) times in subsequent order and without 'interruption' (i.e. other messages popping up in between) in order to trigger? I noticed that if I fired off 4 quick logon failures I was able to get 5720 to fire. But I haven't been able to get it to fire again thus far. There are a lot of other messages that pop up in between. I would assume this shouldn't affect the alert though. Has anybody else tried/tested this or have it working in similar circumstances? TIA
