I have managd (in my inifite wisdom - or a lack thereof), to create an alert for account lockouts from logs that have been collected from our DC's. I now need to take this a step further by creating a rule that will alert me when the same user account has been locked out 5 times within 24 hours. I am not targetting a specific user, just a general rule, but the account lockouts need to be the same user that has locked their account out 5 times wihin that time period.
Admittedly the vast majority of my searches have not been very successful. I am going to assume that a correlation rule will be required but have no idea how to set this up. If there is a very kind and willing person out there that is happy to assist, ideally with some kind of step by step guide it would be very much appreciated as I am still very much a beginner when it comes to the SIEM.
If it helps, we are currently running ESM version 9.5.0 MR4 with the following content packs:
After having a quick glance through the pre-defined correlation rules I can see that there is multiple failed login attempts but nothing that refeers to account lockouts. Can the current rules be manipulated to fit my requirements?
Many thanks in advance for any assistance/advice that is forthcoming.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.