Correlation rule question - multiple persistent logins
Updated: 10 Oct 2010 | 1 comment
Hi,
we need to monitor multiple persistent user logins from different computers to the AD. Is there way how correlate it in SSIM ? It seems to me, that there is no way how correlate it (there is no many to many followed by X)
Scenario:
a user logging in from a PC (WinID 540), then log on from another PC without logout (WinID 538) from the first.
Thanks for any ideas, Symantec support was not able to help us or advice if this type of correlation is possible at all.
Discussion Filed Under:
Comments
You may be able to accomplish
You may be able to accomplish this with the Negative Rule type introduced in 4.7. Not 100% sure though.
You'd probably have to tweek the event count (in order to show 2 successful logins), or find some other way of determining a user that logs into 2 machines, without logging out of the first.
Would you like to reply?
Login or Register to post your comment.