Windows Account Lockout rule - one incident per user...how hard is that?
Updated: 18 Sep 2010 | 1 comment
I have been trying in vain to configure the default "Windows Account Lockout" rule so that I only get one incident for each user that gets locked out. Currently, all lockout events go into one incident regardless of what user got locked out. This makes it a pain to respond to the incident.
Right now the rule is set up as a "Single Event" rule type with "User Name" as the tracking field.
discussion Filed Under:
Comments
Correlate by Conclusion Type and Resource Field
You need to change value of 'Correlate by' field which is available in Actions tab. Change default setting to 'Conclusion Type and Resource Field' and use 'User Name" as the resource field.
hth
Would you like to reply?
Login or Register to post your comment.