cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Alerting rules

Good afternoon all

I have managd (in my inifite wisdom - or a lack thereof), to create an alert for account lockouts from logs that have been collected from our DC's. I now need to take this a step further by creating a rule that will alert me when the same user account has been locked out 5 times within 24 hours. I am not targetting a specific user, just a general rule, but the account lockouts need to be the same user that has locked their account out 5 times wihin that time period.

Admittedly the vast majority of my searches have not been very successful. I am going to assume that a correlation rule will be required but have no idea how to set this up. If there is a very kind and willing person out there that is happy to assist, ideally with some kind of step by step guide it would be very much appreciated as I am still very much a beginner when it comes to the SIEM.

If it helps, we are currently running ESM version 9.5.0 MR4 with the following content packs:

After having a quick glance through the pre-defined correlation rules I can see that there is multiple failed login attempts but nothing that refeers to account lockouts. Can the current rules be manipulated to fit my requirements?

Many thanks in advance for any assistance/advice that is forthcoming.

1 Reply
andy777
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Alerting rules

There is enough detail in this thread to get you going. I used your example as my use case.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community