HIPS 7.0 and 8.0 does not have this functionality. Signature 954 does not apply to HIPS 7 or 8; older HIPS versions (6.x) are EOL.
General Signature Description(Refer to KB article 51504 for details about supported platforms.) This event indicates a failed logon attempt. This could be the result of a brute force password-guessing attempt. Note: Signature is not applicable to Host IPS 7.0 and above.
McAfee Solidcore (Application and Change Control) can perform this function though with the UAT-MON module and Event IDs below.
KB76990 - User LOGON / LOGOFF events are not reported for Change Control 5.x and 6.x
KB81141 - ePolicy Orchestrator Event IDs for Application and Change Control (Solidcore)
20789: User Logged On (Info)
20790: User Logon Failed (Info)
20791: User Logged Off (Info)
20792: User Account Created (Info)
20793: User Account Deleted (Info)
20794: User Account Modified (Info
Solidcore Help FAQ from ePO Console:
Why am I not receiving the events for user account activity for an endpoint?
User account activity is not tracked by default for endpoints. To track operations for user accounts, you must enable this feature specifically on endpoints where Change Control is deployed and enabled. To enable this feature, execute the SC: Run Commands client task to run the sadmin features enable mon‑uat command on the endpoint.
In addition, you must make sure that the Audit Policy is configured on the Windows operating system to allow generation of user activity events.
To successfully track user account activity for an endpoint, verify the Audit Policy configuration for the endpoint.
- Navigate to Control Panel | Administrative Tools.
- Double-click Local Security Policy.
- Select Local Policies | Audit Policy.
- Double-click the Audit account logon events policy.
- Select Success and Failure, then click OK.
- Repeat steps 4 and 5 for the Audit account management and Audit logon events policies.
Thank you so much for you time and valuable information. I’m on track now.