Apache Flink - Matching Fields with the same value

Question

We have a use case where we need to find the pattern for brute force like 10 failed logons from the same device and same username followed by a success logon from the same username and same device. This should happen within 10 mins.

Let us say we have 10 login failed windows events with user A as username and B as devicename and we have a success logon from user A with the same device B, we should raise an alert.Is there any way flink CEP to meet the mentioned use case. The device and username wont be known before hand, also the cardinality of the fields are not known.

David Anderson · Accepted Answer · 2021-10-28T07:50:57.673

2

With Flink CEP (using the Java DataStream API) you would use something like keyBy(event -> new Tuple2<>(event.user, event.device)) and then match the pattern against that key-partitioned stream. With Flink SQL's MATCH_RECOGNIZE, you want to PARTITION BY user, device.

The time constraint is handled by the WITHIN clause. For example:

PATTERN (F{10} S) WITHIN INTERVAL '10' MINUTE
DEFINE
  F.status = 'failure',
  S AS S.status = 'success'

edited Oct 28 '21 at 07:50

answered Oct 28 '21 at 07:23

David Anderson

39,434
4
33
60

Thanks the answer is really what I was looking for – JDForLife Oct 28 '21 at 07:28
Glad it helped. BTW, I've cleaned up the example. – David Anderson Oct 28 '21 at 07:53
I'd appreciate it if you would accept the answer. – David Anderson Oct 28 '21 at 18:00

Apache Flink - Matching Fields with the same value

1 Answers1

Linked