I am trying to setup a simple correlation rule for Windows 2008 that will fire anytime an account fails to login 10 times within 10 minutes. (I may tweak these numbers later, but for now thats what they will start as).
I wrote a report for failed logins for Windows 2008 and found that the user name field (the account that filed to login) is C_Username.
I do NOT see this field available in the multi-threading section of my Correlation rule.
The proper message ID 'Security_4625_Microsoft-Windows-Security-Auditing' has been added to the correlation rule circuit/label. This is the only message id in the rule.
Do the fields that appear in multi-threading correlate to the fields we see in a report or are they somehow different?