1 Reply Latest reply on Apr 6, 2016 12:59 PM by andy777

    Alerting rules

    nick.broughton

      Good afternoon all

       

      I have managd (in my inifite wisdom - or a lack thereof), to create an alert for account lockouts from logs that have been collected from our DC's. I now need to take this a step further by creating a rule that will alert me when the same user account has been locked out 5 times within 24 hours. I am not targetting a specific user, just a general rule, but the account lockouts need to be the same user that has locked their account out 5 times wihin that time period.

       

      Admittedly the vast majority of my searches have not been very successful. I am going to assume that a correlation rule will be required but have no idea how to set this up. If there is a very kind and willing person out there that is happy to assist, ideally with some kind of step by step guide it would be very much appreciated as I am still very much a beginner when it comes to the SIEM.

       

      If it helps, we are currently running ESM version 9.5.0 MR4 with the following content packs:

      After having a quick glance through the pre-defined correlation rules I can see that there is multiple failed login attempts but nothing that refeers to account lockouts. Can the current rules be manipulated to fit my requirements?

       

      Many thanks in advance for any assistance/advice that is forthcoming.