I have a request to tune the output of Rule 18152: Multiple Windows Logon Failures. They would like:
1. More than 5 failed logins to a single user should be identified so we can act on it. 2. More than 10 failed logins to a single device for any user be identified so we can act it. 3. All other instants of Windows Logon Failures should be set to lower alert level I've spent all day mucking with rules and it seems like this: <rule id="18152" level="10" frequency="5" timeframe="240" overwrite="yes"> <if_matched_group>win_authentication_failed</if_matched_group> <same_user /> <description>Multiple (5) Windows Logon Failures.</description> <group>authentication_failures,</group> </rule> gets what I want for condition 1., but I'm not certain. I've had no success at all trying to get conditions 1 and 2 working at the same time. Is this type of rule configuration possible? I could use some assistance, please. --[Lance] -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.