I'm new to the Mcafee SIEM product but I would like to know how to write a rule that triggers when username and password sharing may be taking place. I would like a rule to trigger if within a 30 minute window 2 or more successful logins to 1 server have occured with same username but from different source IP's?
Any help would be appreciated
Two predefined correlation rules do something like this - signature IDs 47-4000137 and 47-4000138.
Be aware that it is not unusual for users to be interacting with systems from multiple devices - e.g. smart phones as well as desk devices - and this will generate false positives for your use case.