5 Replies Latest reply on Nov 4, 2016 6:19 AM by kmc

    Corre: Successfull Local Host Login after Brute Force Attempts



      I want to learn about something "Successfull Local Host Login after Brute Force Attempts" correlation rule.

      In this rule there is a group by (Destination IP) So a local host is trying a brute force after the first events (10 mins 10 times) another local host logins successfully. But they are different localhosts.These steps are correct but Group by Destination IP is the default value that our DC server's.

      What do you think about this? Is it normal?