2 of 2 people found this helpful
This is typically what a root/cron logon looks like within LEM:
You can add conditions to your correlation rules to exclude certain usernames, hostnames, etc.
For example, you can add a condition to the 'Authentication Attempt - Default Account' rule to exclude events where the DectectionIP is not equal to the LEM appliance:
Your solution will not give the desired effect. You have all your conditions in a correlation box set to OR (yellow right edge). So, if any of these conditions are met it will apply. That means the "DetectionIP not equal to *swi-lem* " will meet this even if the DestinationAccount isn't administrator, root, or guest.
I believe this will accomplish that.
The right edge is set to AND (Blue). Meaning that both groups must meet the condition for the correlation to be true. The (DestinationAccount is equal to administrator, root, or guest) AND the (DestinationIP is not equal to your LEM appliance).