Does anyone know how to setup a filter and/or rule that will notice multiple failed login attempts by multiple users (before account lockout) originating from same IP within a certain time frame?
Thanks,
Jeremy
BUILD, Rules, drag the failedauthentication event, specify the event count and the sliding time frame. Use the tiny icon next to the time frame to bring up the advanced options editor and drag the sourcemachine field. You can leave the time window drop down as the default of 5 minutes. You can refer to the new evaluation guide under the documentation section of the solarwinds website for an example of creating custom rules
You can find instructions with screenshots in the 'Custom Rules' section of this doc (page 30-33)
http://www.solarwinds.com/documentation/LEM/Docs/LEM_Evaluation_Guide.pdf
Just to backup HolyGuacamole with some pictures:
You'd want a rule that was at least this complicated:
The circled thing is what Guac is referring to. Then you can do this:
And that means the LEM has to see 5 events in 30 seconds from the same DetectionIP. You can obviously use other fields as well if you want to play with it.
Thank you both, but not exactly what I'm looking for I think. Maybe an example would be a bit better.
UserA = failed login pc1 (no alert)
UserA = failed login pc1 (no alert)
UserB = failed login pc1 (alert) that multiple users attempted to login unsuccessfully from the same IP (or PC) within a set time period.
The idea behind the alert is to detect if someone is trying to "crack" passwords for users but at the same time not enough bad tries to lock the account. If someone theoretically discovers the user naming convention and has a list of user names they can script password attempts round robin style to keep from locking accounts. Now, the time that would be needed to do this is pretty long but I just had an audit and this question came up.
Is this a better explanation of what I'm trying to do? Not sure it is possible within LEM.
Thank you both again for your answers, it is appreciated.
Jeremy
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.