AnsweredAssumed Answered

Security Analytics - Need Help with rules for Administrator-level logins

Question asked by qKtoeRtCP06K6iLmJqdBOtHPBH9UuAqadYBtycLosd0= on Apr 5, 2016
Latest reply on Apr 12, 2016 by David Waugh

Greeting,

 

Would like some advise on how to create a rule in Alerts > Configure > Rules.

 

I am using SA 10.4. I would like to create a rule that will trigger an alert, which will send an email to a designated address, when users with administrator-level login to a particular system. So far has not been successful. Below is the scenario:

 

1. Whether  the attempt is either successful or failed.  (Figure 2) AND

2. A user attempts to login using an administrative level username (Figure 3) AND

3. Also, this alert is based on a specified logon type (Figure 4), which is :

     a       physical/software-based login on a keyboard

     b.      via network

     c.       via RDP

 

A screen capture as below of the rule that i created.

Capture.JPG.

The first condition as below

Capture.JPG

The 2nd condition

Capture.JPG

 

The 3rd condition

Capture.JPG

 

 

Outcomes