Hi,
I'm familiar with the "Continuous Excessive Logon Failure" rule/template. That's great but, I want a little more.
What I want to be able to do is create a rule for when a brute force attack is successful. Let's say an account triggered the "Continuous Excessive Logon Failure" rule, repeatedly. So email alerts are sent notifying appropriate staff of the alert.
What I would like to happen is if there is a successful logon in let's say within 5 minutes after the previous "Continuous Excessive Logon Failure" rule is triggered, a new rule is triggered that notifies of the successful login after a series of failed attempts.
I've tried tinkering with rules and searches but I haven't had any success. Does anyone have any suggestions?