You want to trigger an incident when multiple failed logins from the same host are followed by a successful login on that same host within 15 minutes. The rule must correlate all events by source IP address and user to ensure they belong to the same login sequence. Which three configurations achieve this goal? (Choose three answers)

A. Ensure both subpatterns have the same aggregate condition.
B. Define a time window condition for each subpattern.
C. Configure two subpatterns—one for failed logins and one for the successful login.
D. Apply sequential logic using a FOLLOWED_BY operator between the two subpatterns.
E. Define the subpattern relationships and constraints.

Correct Answer: C,D,E

Brave-Dump Clients Votes

CDE 50%

BCD 25%

ADE 25%

Comments

Simon Cliffe 2026-02-15 21:56:51

Selected Answers: B, C, D

BCD

Anonymous User 2026-03-08 01:17:30

Selected Answers: A, D, E

ADE

Anonymous User 2026-04-14 03:30:43

Selected Answers: C, D, E

Answer: C, D, E
C — Two separate subpatterns are needed: one for failed logins, one for the successful login.
D — FOLLOWED_BY enforces the required sequence — failures must occur before the success.
E — Constraints ensure correlation by source IP and user between subpatterns, so failed logins from User A aren't matched with a successful login from User B. The study guide (page 108) explicitly calls this "the relationship, also called a constraint."
Why not A: "Multiple failed logins" needs COUNT >= 5 (or similar), while the successful login only needs COUNT >= 1. They should NOT have the same aggregate.
Why not B: The time window (15 minutes) is defined at the rule level, not per subpattern.

Brave-Dumps.com Admin 2026-04-15 10:29:32

Selected Answers: C, D, E

C, D, E