3 Replies Latest reply on Feb 19, 2015 8:49 AM by robert_dearbytes

    Simply Correlation Rule - 5 failed logon attempts for that same user

    michal_be

      Hi guys,

       

      Simply (not in McAfee) CRL.

       

      I need to alarm if 5 failed logon attempts have place in 5 minutes time period for that same user.

      I did correlation

       

      Filters - and Normalization Rule in  [Login]

      Event subtype in [failure]

       

      How to set this condition that it have to be done 5 times in 5 mintes for that same user name?

       

      PLS HELP ME