1 Reply Latest reply on Jul 6, 2014 5:22 PM by acommons

    Username and password sharing

    pickles

      Hi all

       

      I'm new to the Mcafee SIEM product but I would like to know how to write a rule that triggers when username and password sharing may be taking place. I would like a rule to trigger if within a 30 minute window 2 or more successful logins to 1 server have occured with same username but from different source IP's?

       

      Any help would be appreciated

        • 1. Re: Username and password sharing
          acommons

          Two predefined correlation rules do something like this - signature IDs 47-4000137 and 47-4000138.

           

          Be aware that it is not unusual for users to be interacting with systems from multiple devices - e.g. smart phones as well as desk devices - and this will generate false positives for your use case.

           

          cheers,

          Andrew