Hello,

co-rule "Large Number of authentication attempts for a single user from
multiple hosts -- (this rules comes with Sentinel) " is working
perfectly. But I want this rule to ignore/exclude one source IP of the
Web Proxy Server. If a user attempts 2-3 failed login while logon on MS
AD(event source) via his/her PC and then provide 2-3 time wrong
passwords to the Web Proxy Server which then authenticates the user
again from MS AD(event source), this rule gets fired. We want this rule
to ignore the source IP address of Web Proxy Server.


co-rule:
Large Number of authentication attempts for a single user from multiple
hosts:
filter(((e.XDASClass = 2) AND (e.XDASIdentifier = 0) AND ((e.XDASOutcome
= 0) OR (e.XDASOutcome = 1) OR (e.XDASOutcome = 2))))flow
trigger(5,300,discriminator(e.InitiatorUserName))


--
sharfuddin
------------------------------------------------------------------------
sharfuddin's Profile: https://forums.netiq.com/member.php?userid=1016
View this thread: https://forums.netiq.com/showthread.php?t=57465