3 Replies Latest reply on Feb 19, 2015 8:49 AM by robert_dearbytes

    Simply Correlation Rule - 5 failed logon attempts for that same user


      Hi guys,


      Simply (not in McAfee) CRL.


      I need to alarm if 5 failed logon attempts have place in 5 minutes time period for that same user.

      I did correlation


      Filters - and Normalization Rule in  [Login]

      Event subtype in [failure]


      How to set this condition that it have to be done 5 times in 5 mintes for that same user name?