12 Replies Latest reply on Nov 7, 2014 3:00 AM by garrethcoleman

    Login Failure Doesn't Detect IP

    byrona

      I have a Rule setup in LEM to detect failed logins, after 5 failed logins in 5 minutes the Source Machine will be added to a User Defined Group as a Suspect System.  I have a 2nd rule that will look for successful logins from the Suspect System list of Source Machines and if detects a successful login from a system on that list it will trigger an alert.

       

      The problem that I am having with determining if they are legitimate or not is often times there is no IP, just a system name which I can't really trace back to anything.  Am I missing something obvious here?  I need the IP in order to see what it came from, if all I have for a SourceMachine is a system name I am dead in the water.

       

      Any suggestions here would be much appreciated, thanks!