...
This sample demonstrates how to set up an execution plan with queries to detect suspicious login attempts to a user account. It generates an alert if it detects two or more login attempts to the same user account from different IP addresses within a short time period.
The query used in this sample is as follows:
| Code Block |
|---|
from every a1 = authStream
-> b1 = authStream[username == a1.username and ipAddress != a1.ipAddress]
within 10000
select a1.username as username, a1.ipAddress as ip1, b1.ipAddress as ip2
insert into alertStream; |
In above query, we use patterns syntax to identify two login attempts to the same account by two different ip addresses within 10 seconds, which are received through the authStream. We have named such two events as a1 and b1. The arrow (->) denotes that b1 should occur after a1. The condition given inside the brackets is written to capture events with same user name and different ip addresses. The keyword 'within' specifies that this pattern should occur inside a 10,000 milliseconds time interval. Finally, we are selecting a few attributes and insert them to the alertStream.
Also note that the use of 'every' keyword ensures that CEP keeps searching for this pattern for every events received. If we omit this keyword, it will search for the pattern only once and any subsequent events will be discarded.
This sample uses wso2event for both inputs and outputs.
...