I have a request to tune the output of Rule 18152: Multiple Windows Logon
Failures. They would like:
1. More than 5 failed logins to a single user should be identified so we
can act on it.
2. More than 10 failed logins to a single device for any user be identified
so we can act it.
3. All other instants of Windows Logon Failures should be set to lower
alert level
I've spent all day mucking with rules and it seems like this:
<rule id="18152" level="10" frequency="5" timeframe="240"
overwrite="yes">
<if_matched_group>win_authentication_failed</if_matched_group>
<same_user />
<description>Multiple (5) Windows Logon Failures.</description>
<group>authentication_failures,</group>
</rule>
gets what I want for condition 1., but I'm not certain.
I've had no success at all trying to get conditions 1 and 2 working at the
same time.
Is this type of rule configuration possible? I could use some assistance,
please.
--[Lance]
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
