You want to trigger an incident when multiple failed logins from the same host are followed by a successful login on that same host within 15 minutes. The rule must correlate all events by source IP address and user to ensure they belong to the same login sequence. Which three configurations achieve this goal? (Choose three answers)

• A. Ensure both subpatterns have the same aggregate condition.
• B. Define a time window condition for each subpattern.
• C. Configure two subpatterns—one for failed logins and one for the successful login.
• D. Apply sequential logic using a FOLLOWED_BY operator between the two subpatterns.
• E. Define the subpattern relationships and constraints.

Correct Answer: B,C,D

Brave-Dump Clients Votes