cancel
Showing results for 
Search instead for 
Did you mean: 

Username and password sharing

Hi all

I'm new to the Mcafee SIEM product but I would like to know how to write a rule that triggers when username and password sharing may be taking place. I would like a rule to trigger if within a 30 minute window 2 or more successful logins to 1 server have occured with same username but from different source IP's?

Any help would be appreciated

1 Reply

Re: Username and password sharing

Two predefined correlation rules do something like this - signature IDs 47-4000137 and 47-4000138.

Be aware that it is not unusual for users to be interacting with systems from multiple devices - e.g. smart phones as well as desk devices - and this will generate false positives for your use case.

cheers,

Andrew