Simple Multithreading Field Question
I am trying to setup a simple correlation rule for Windows 2008 that will fire anytime an account fails to login 10 times within 10 minutes. (I may tweak these numbers later, but for now thats what they will start as).
I wrote a report for failed logins for Windows 2008 and found that the user name field (the account that filed to login) is C_Username.
I do NOT see this field available in the multi-threading section of my Correlation rule.
The proper message ID 'Security_4625_Microsoft-Windows-Security-Auditing' has been added to the correlation rule circuit/label. This is the only message id in the rule.
Do the fields that appear in multi-threading correlate to the fields we see in a report or are they somehow different?
The names may be slightly different. The field you are looking for is probably called either c_username or Event User.
They do correlate, but I agree that the naming conventions used between reporting and alerting can sometimes be be confusing, especially with Windows events. The best way to check the name mappings is to look at the Manage Variables screen in enVision.
Oh man you rock. That Manage Variables page in System Configuration -> Messages was exactly what I was looking for. This kinda puts the pieces together. Thank you!