Help with a correlation rule? "Unauthorized login"
We have several systems, which are primarily used by only one individual.
We would like to be able to see if/when a "new" user logs in to that system. Similar to an "X not follwed by X" rule, but not sure if or how we can establish criteria for the primary user, and differentiate them from an "unauthorized" user.
This is a college campus, and there are "oportunities" for student workers to have access to exam information which may be kept on local drives.
Any direction would be appreciated.