I have a Rule setup in LEM to detect failed logins, after 5 failed logins in 5 minutes the Source Machine will be added to a User Defined Group as a Suspect System. I have a 2nd rule that will look for successful logins from the Suspect System list of Source Machines and if detects a successful login from a system on that list it will trigger an alert.
The problem that I am having with determining if they are legitimate or not is often times there is no IP, just a system name which I can't really trace back to anything. Am I missing something obvious here? I need the IP in order to see what it came from, if all I have for a SourceMachine is a system name I am dead in the water.
Any suggestions here would be much appreciated, thanks!