RSA Admin

Need Input on Failed Logon alert threshold

Discussion created by RSA Admin Employee on Mar 23, 2012
My system's use case for failed logons is 5 failures in 3 minutes. That's what we have entered into the alert threshold for every device type. This causes a lot of alerts on simple user error and password fat-fingering. Our NOC has to respond to each and every one. I've been asked for a recommendation about tuning this down, but I don't know what's practical. 10 failures in 6 minutes? 6 failures in 10 minutes? Please let me know what your criteria is, or if there's a best practice. --== John