2 Replies Latest reply on Aug 8, 2016 10:56 AM by gdeterville

    Rules from a single host, from a single user ID

    gdeterville

      I need to create two rules that will alert on brute force attacks within specific time frame, one from the same source, and another one from the same user ID.

      I see the rule "Continuous Excessive Logon Failures" template however I am unsure how to modify this rule to add the necessary parameter - from the same source.

      These rules would be separate rules - IE one rule containing the same source, another rule containing the same user ID.

      Any ideas would be appreciated.