Home

Results 1 to 3 of 3

Thread: Correlating Events from same User

  1. #1
    mmarchese NNTP User

    Correlating Events from same User


    Hello everybody, I was wondering if there is any way to add a
    correlation rule expression to correlate consecutive events from the
    same targetUserName. For example "Three consecutive failed logins from
    the same user".

    I'm working with Sentinel 7.2

    Thanks in Advance


    --
    mmarchese
    ------------------------------------------------------------------------
    mmarchese's Profile: https://forums.netiq.com/member.php?userid=1311
    View this thread: https://forums.netiq.com/showthread.php?t=52492


  2. #2
    ab NNTP User

    Re: Correlating Events from same User

    Look at the Distinct and Discriminator options, depending on which part of
    correlation you're using:

    https://www.netiq.com/documentation/....html#b17j7qz4


    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  3. #3
    jgassner NNTP User

    Re: Correlating Events from same User


    There are rules that come out of the box that are similar to what you're
    looking to create. For example, "Multiple login failures for local
    privileged accounts".


    --
    jgassner
    ------------------------------------------------------------------------
    jgassner's Profile: https://forums.netiq.com/member.php?userid=324
    View this thread: https://forums.netiq.com/showthread.php?t=52492


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •