Filter assistance handling multiple accounts targeting one system, and one account targeting multiple systems.

jere557

I’m trying to build a couple LEM filters.

We’ve got 2 different filters we need to make, to accomplish the following….

* Failed login attempts of multiple accounts, in a short period of time, on one device.

* Consecutive access denied on multiple devices from a single account (local or domain).

Could anyone recommend how we can build those out?

Find more posts tagged with

lem filter

lem

Accepted answers

All comments

blsanner

You can't really do these things directly in a filter as filters don't give you the correlation time options that you have when creating rules. What you could do is create rules that match these items and have the rules infer an event. Then create filters to look for these inferred events.

jere557

Thanks! i'll give that a shot. A tip of the hat to you, sir.

cluele__

Did it work?

Quick Links

All Categories
Recent Posts
Activity
Unanswered
Groups
Help
Best Of