Along with greeting, I look for the criticality thresholds of the following correlation rules within the ESM.
• Rule Name: Login - Brute Force Login Attempts from multiple Sources
•Rule Name: Login - Brute Force Login Attempts to remote Host.
• Rule Name: Login - Brute Force Login Attempts on an Internal Host from a multiple sources.
• Rule Name: Database - unique Database Access multiple Attempt Failures
• Rule Name: Database - Excessive Database Connections From Multiple Source
• Rule Name: Database - Attempted Database Configuration Change by a Local Host
• Rule Name: Component - Events to a Source Network