Making a rule for a 100 logon failures.

I am trying to make a rule for 100 similar logon failures and trigger an email and SNMP trap. I have several rules setup and they all work well. This is one thing I cannot figure out, probably because I don't fully understand the "1 event within 5 minutes" part of the correlation. I always had it at 1 per 30 seconds and it has worked well.

Also, I have multiple customers logging to a single appliance and I hope I dont have to make one rule for each customer.

  • Hi,

    You just need to get the correlation side of things squared away in your rule and you will be fine.

    Under Correlation Time change 1 to 100 and within 30 seconds to your desired time window (e.g. 3 minutes). The response window is a bit of a mystery to me too and I have typically left this setting alone for fear of breaking the rules. If you need to get complex, you can use the advanced correlation configuration (gear icon). You will need to identify how long it takes for LEM to receive 100 simultaneous login events and ensure this also fits in with your window you want to fire a rule for this activity, else you rule may not fire, or fire false alerts.

    To send SNMP traps you need to configure the SNMP active response connector and email the SMTP active response connector. Your rule will need to be relevant, but if you want it to fire on only say 10 usernames, create a user defined group and set your event correlation to contain that group.

  • To add to what Garreth said, if you want it to be 100 logon failures from the SAME user (not 100 logon failures from anyone), you want to use an Advanced Threshold (hit the little gear button as he pointed out) and specify SAME DestinationAccount.  Otherwise, it's commonly the timeframe that makes these things work or not work.

  • Thank you! That gear was helpful!