AnsweredAssumed Answered

Security Analytics - Need Help with rules for Administrator-level logins

Question asked by qKtoeRtCP06K6iLmJqdBOtHPBH9UuAqadYBtycLosd0= on Apr 5, 2016
Latest reply on Apr 12, 2016 by David Waugh



Would like some advise on how to create a rule in Alerts > Configure > Rules.


I am using SA 10.4. I would like to create a rule that will trigger an alert, which will send an email to a designated address, when users with administrator-level login to a particular system. So far has not been successful. Below is the scenario:


1. Whether  the attempt is either successful or failed.  (Figure 2) AND

2. A user attempts to login using an administrative level username (Figure 3) AND

3. Also, this alert is based on a specified logon type (Figure 4), which is :

     a       physical/software-based login on a keyboard

     b.      via network

     c.       via RDP


A screen capture as below of the rule that i created.


The first condition as below


The 2nd condition



The 3rd condition