This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

role

erni1989
New Contributor
New Contributor

‎2023-06-13 09:08 AM

Hello all

 

Can I create role like 3 Failed login to Windows same IP but different user? 

 

when I using with group by ip_src I get alert even same user failed login  3 times

 

 

thnks

0 Likes
1 REPLY 1

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2023-10-25 04:05 PM

erni1989,

 

To do that kind of alerting you need to have an Event Stream Analysis (ESA) server. The ESA has the ability to keep track of multiple events and patterns to produce alerts. The creation of ESA rules can be a very complex process. Below are some of our documentation that you can use for reference.

 

ESA Rules: https://community.netwitness.com/t5/netwitness-platform-threat/rsa-esa-rules/ta-p/677885

Creating ESA Rules: https://community.netwitness.com/t5/netwitness-platform-online/create-an-esa-rule/ta-p/688878

Configure ESA Correlation Rules:https://community.netwitness.com/t5/netwitness-platform-online/configure-esa-correlation-rules/ta-p/669425

 

If you are looking for more assistance with actually creating ESA rules, I highly suggest engaging our Professional Services. They are a paid engagement and you would need to talk with your NetWitness Sales/Account Representative. If you have some questions about syntax, you can open a NetWitness Support case and we can try to clarify any syntax usage questions.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.