I'm using NW 11 and i have mor than 13.000 alert for Multiple Failed Privilege Escalations by Same User alerts.
What kind of alert is this one? How can i investigate it?
At the same time i have more than 15.000 alerts for Multiple Account Lockouts From Same or Different Users. I relaize thats about users who failed the autentication in an account. But how can i know if its their personal account, which machine have the tried do login, etc...
Renato, that's a question that's extremely difficult to answer in a forum post. I would suggest talking to the Sales Engineer that covers your account. They can either meet with you to show you how to respond, or direct you to the appropriate training resources (many of them are free!) to explain at a higher level how to deal with alerts of any type.
For this specific alert, I can offer that I see that trigger when NetWitness is first installed at a lot of customers. It's usually caused by misconfigured systems or expired passwords in your environment. The alert will contain links back to the individual logs that are categorized as login failures and those event logs will tell you what account(s) are involved and what systems are impacted. Then you can either fix the system (update the password, stop the requests, etc.) or whitelist that account in the rule itself.