i have made a correlation rule for 5 or more than 5 time failed logon on a single ip or single destination but when alert goes hit then we are not able to see meta key, in event viewer it showing 0 size.
refer attached screen shot.
ive seen the same since i implemented 2 correlation rules, i figured it was SOP for SA.
SOP means? do you have any solution of this issue?
standard operating procedure.
so whats the solution for correlation alert, can we get correlated alert on our mail id without using any ESA appliance because i am not able to set any output action on mention correlated alert.
Retrieving data ...