There are 2 ways to do it:
1.Real-time Alert(ver.9.4 and higher)--not tested by me.
2.Create Correlation rule and then Alarm to monitor for ocurence of the correlation rule.
Let me know if you get stuck.
Create a correlation rule:
Add the AD Account lockout signature ID
Monitor Source User
Define the amount of events (how many lockouts)
Define your threshold under parameters (Timeframe)
Shout if you need help we have implemented this in our environment for the Security Administrators.
Everyone, thank you for your assistance!
I am having a very similar issue with the appliance we have set up here. I want to capture 5 account lockouts in a 24 hour period. Created the below correlation rule:
I have also created an alarm associated with this rule that triggers on the signature id of this specific correlation rule, however, i have not received an email notification. Is there somewhere where i need to enable/activate the rule for example? I have ensure the rule in the correlation window is set to enable and it's in real-time, or as real-time as you can get. Is tehre a method of pushing this out to the devices etc or am i clutching at straws now?
Many thanks for your help.
I think monitoring lockouts over a 24 hour period to trigger this alarm is too much for the SEIM to handle depending on the number of userids in your organization..
Hi, to solve your problem you need to change in the settings of the correlation rule and set to detect same user try to access Number of time that you specified during an amount of time. doing this you can set exactly your correlation rule to be fired only at the condition you specified.