1 Reply Latest reply on Mar 22, 2017 11:45 AM by curtisi

    Creating an alert if source is always the same?

    itco

      I'm trying to generate an alert if there are multiple failed login attempts from the same IP address, regardless of the username. The part I'm having trouble with is telling LEM to only alert if it's from the same IP address. In the parameters I know to put * for all, or a specific word, but not sure how to say "if same IP address".

       

      In the Rule Creation this is what I have the Correlations set for:

       

      UserLogonFailure

      AND

      UserLogonFailure.SourceMachine = ?????