We have a use case where we need to find the pattern for brute force like 10 failed logons from the same device and same username followed by a success logon from the same username and same device. This should happen within 10 mins.
Let us say we have 10 login failed windows events with user A as username and B as devicename and we have a success logon from user A with the same device B, we should raise an alert.Is there any way flink CEP to meet the mentioned use case. The device and username wont be known before hand, also the cardinality of the fields are not known.
With Flink CEP (using the Java DataStream API) you would use something like keyBy(event -> new Tuple2<>(event.user, event.device))
and then match the pattern against that key-partitioned stream. With Flink SQL's MATCH_RECOGNIZE, you want to PARTITION BY user, device
.
The time constraint is handled by the WITHIN
clause. For example:
PATTERN (F{10} S) WITHIN INTERVAL '10' MINUTE
DEFINE
F.status = 'failure',
S AS S.status = 'success'