All, I'm trying to figure out how to get the SIEM to alert when the same user is locked out multiple times in a certain time frame. Say twice in five minutes or something similar. Does anyone have any idea how to do this? I have researched and tested but am not having any luck. An alarm by itself doesn't seem to allow for the complexity of determining if the same account generated the lockout message. I've created a correlation rule but am stumped as to how to tell it that I want this alert to fire only if it's the same account getting locked out. Any help would be appreciated, thank you.
There are 2 ways to do it:
1.Real-time Alert(ver.9.4 and higher)--not tested by me.
2.Create Correlation rule and then Alarm to monitor for ocurence of the correlation rule.
Let me know if you get stuck.
Create a correlation rule:
Add the AD Account lockout signature ID
Monitor Source User
Define the amount of events (how many lockouts)
Define your threshold under parameters (Timeframe)
Shout if you need help we have implemented this in our environment for the Security Administrators.
Please create a correlation rule or use the condition given in the below correlation rule in your multiple condition alarm (v9.4) and it should work.
I am having a very similar issue with the appliance we have set up here. I want to capture 5 account lockouts in a 24 hour period. Created the below correlation rule:
I have also created an alarm associated with this rule that triggers on the signature id of this specific correlation rule, however, i have not received an email notification. Is there somewhere where i need to enable/activate the rule for example? I have ensure the rule in the correlation window is set to enable and it's in real-time, or as real-time as you can get. Is tehre a method of pushing this out to the devices etc or am i clutching at straws now?
Many thanks for your help.
I think monitoring lockouts over a 24 hour period to trigger this alarm is too much for the SEIM to handle depending on the number of userids in your organization..
Hi, to solve your problem you need to change in the settings of the correlation rule and set to detect same user try to access Number of time that you specified during an amount of time. doing this you can set exactly your correlation rule to be fired only at the condition you specified.