I'm trying to set up the above, so when an enrollment event happens after a successful authentication event, that we receive an email, and take a look to see if something interesting is happening with a users account.
So far I've come up with this:
Building block for enrollment events
Building block for duo authentication events
Rule:
when BB: duo_eventtype_enrollment match at least 1 times in 10 minutes after any of BB: duo_eventtype_auth match
The problem is that I need to add logic that looks username. Right now this will fire just because these two things happened, but it can be for different users... So it's a noisy alert. But if I could add in logic that makes it only fire when this happens for the same username, it would clean that up a lot.
Any ideas? Thank you.------------------------------
bryan mcclenahan
------------------------------