This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Login Failure Doesn't Detect IP

I have a Rule setup in LEM to detect failed logins, after 5 failed logins in 5 minutes the Source Machine will be added to a User Defined Group as a Suspect System.  I have a 2nd rule that will look for successful logins from the Suspect System list of Source Machines and if detects a successful login from a system on that list it will trigger an alert.

The problem that I am having with determining if they are legitimate or not is often times there is no IP, just a system name which I can't really trace back to anything.  Am I missing something obvious here?  I need the IP in order to see what it came from, if all I have for a SourceMachine is a system name I am dead in the water.

Any suggestions here would be much appreciated, thanks!