7 Replies Latest reply on May 3, 2016 2:20 PM by yassinezeroual

    Alert for when the same user gets locked out twice in a set time frame

    dtmc

      All, I'm trying to figure out how to get the SIEM to alert when the same user is locked out multiple times in a certain time frame. Say twice in five minutes or something similar. Does anyone have any idea how to do this? I have researched and tested but am not having any luck. An alarm by itself doesn't seem to allow for the complexity of determining if the same account generated the lockout message. I've created a correlation rule but am stumped as to how to tell it that I want this alert to fire only if it's the same account getting locked out. Any help would be appreciated, thank you.