cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
dtmc
Level 7
Report Inappropriate Content
Message 1 of 8
‎10-07-2014 01:14 PM

Alert for when the same user gets locked out twice in a set time frame

All, I'm trying to figure out how to get the SIEM to alert when the same user is locked out multiple times in a certain time frame. Say twice in five minutes or something similar. Does anyone have any idea how to do this? I have researched and tested but am not having any luck. An alarm by itself doesn't seem to allow for the complexity of determining if the same account generated the lockout message. I've created a correlation rule but am stumped as to how to tell it that I want this alert to fire only if it's the same account getting locked out. Any help would be appreciated, thank you.

0 Kudos
Reply
7 Replies
Highlighted
alexander_h
Level 12
Report Inappropriate Content
Message 2 of 8
‎10-07-2014 02:00 PM

Re: Alert for when the same user gets locked out twice in a set time frame

Hi,

There are 2 ways to do it:

1.Real-time Alert(ver.9.4 and higher)--not tested by me.

2.Create Correlation rule and then Alarm to monitor for ocurence of the correlation rule.

Let me know if you get stuck.

0 Kudos
Reply
Highlighted
japie
Level 9
Report Inappropriate Content
Message 3 of 8
‎10-07-2014 02:04 PM

Re: Alert for when the same user gets locked out twice in a set time frame

Hi DTMC

Create a correlation rule:

Add the AD Account lockout signature ID

Monitor Source User

Define the amount of events (how many lockouts)

Define your threshold under parameters (Timeframe)

Shout if you need help we have implemented this in our environment for the Security Administrators.

Regards,

Japie

Reply
Highlighted
vinaya_k
Level 9
Report Inappropriate Content
Message 4 of 8
‎10-08-2014 02:05 AM

Re: Alert for when the same user gets locked out twice in a set time frame

Hi DTMC,

Please create a correlation rule or use the condition given in the below correlation rule in your multiple condition alarm (v9.4) and it should work.

Account Lockout.jpg

Regards,

Vinaya

0 Kudos
Reply
Highlighted
nick.broughton
Level 7
Report Inappropriate Content
Message 5 of 8
‎04-04-2016 08:19 AM

Re: Alert for when the same user gets locked out twice in a set time frame

Hi Japie

I am having a very similar issue with the appliance we have set up here. I want to capture 5 account lockouts in a 24 hour period. Created the below correlation rule:

I have also created an alarm associated with this rule that triggers on the signature id of this specific correlation rule, however, i have not received an email notification. Is there somewhere where i need to enable/activate the rule for example? I have ensure the rule in the correlation window is set to enable and it's in real-time, or as real-time as you can get. Is tehre a method of pushing this out to the devices etc or am i clutching at straws now?

Many thanks for your help.

0 Kudos
Reply
Highlighted
kenn1
Level 7
Report Inappropriate Content
Message 6 of 8
‎04-26-2016 07:38 AM

Re: Alert for when the same user gets locked out twice in a set time frame

I think monitoring lockouts over a 24 hour period to trigger this alarm is too much for the SEIM to handle depending on the number of userids in your organization..

0 Kudos
Reply
Highlighted
dtmc
Level 7
Report Inappropriate Content
Message 7 of 8
‎10-21-2014 05:58 AM

Re: Alert for when the same user gets locked out twice in a set time frame

Everyone, thank you for your assistance!

0 Kudos
Reply
Highlighted
yassinezeroual
Level 10
Report Inappropriate Content
Message 8 of 8
‎05-03-2016 12:18 PM

Re: Alert for when the same user gets locked out twice in a set time frame

Hi, to solve your problem you need to change in the settings of the correlation rule and set to detect same user try to access Number of time that you specified during an amount of time. doing this you can set exactly your correlation rule to be fired only at the condition you specified.

Good luck.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC