1 of 1 people found this helpful
We use two rules, one for 20+ failures within 30 seconds from a single IP, and another for 40+ failures within 60 minutes from a single IP. Here's what the first looks like:
UserLogonFailure.DestinationAccount <> UserLogonFailure.DestinationMachine
20 Events within 30 seconds
Field: UserLogonFailure.SourceMachine Modifier:SAME *
Response Window 5 minutes
* Click on the Gear/Clock icon to the right of "Events within" to access advanced settings.
In truth, the first "UserLogonFailure" probably isn't necessary, but this was one of my first rules so I was still experimenting when I wrote it.
Can you please include a screenshot of the rule? I'm new to the LEM and cannot get my correlation to look like yours here.