Detect the first lock out attempt by a given user name and only generate an email on the first attempt and just log any subsequent login attempts for the next hour after the lock out has occured without generating multiple emails.
VPN system message (sample):
Aug 4 17:12:04 192.168.3.2 CisACS_02_FailedAuth 1 0 Message-Type=Authen failed,User-Name=domain\username1,NAS-IP-Address=192.168.3.131,Authen-Failure-Code=External DB account locked out,NAS-Port=1,Group-Name=Default Group
+-RunScript: "Script_TimeInterval_Per_User.txt" <--add this here
The script maintains a dictionary containing the usernames and when they were initially heard from (date/time).
The script will ignore subsequent messages (for that user) for a specified period of time (60 minutes in the download script). The script will specify an ActionQuit = 100 for messages that are not to send email. ActionQuit (100) skips the E-mail action and continues processing the message as normal in the next rule.