editing alert #13096
editing alert
#13096
Replies: 1 comment
-
|
mrayirn, According to the description, it seems it is looking for the Event ID listed, relating to events for clearing the Security EventLog. You can edit the Event ID in the selection portion of the alert to be the Event ID for failed login attempts. You can look it up, I'm sure you'll find it on Microsoft's website, somewhere. As I am sure you are aware, 2.4.70 has been released and the new Detections feature is amazing. I would recommend upgrading if you have not already; you can make changes and add new Sigma rules through it: https://docs.securityonion.net/en/2.4/sigma.html#adding-new-sigma-rules(.) Hope that helps. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi All,
I have a question regarding one of the alert Im trying to set up for my RDS farm which is communicating with ADC. I have attached the default alert coding. The section of "condition: selection" and I would like to change selection part to get alert if someone tries to login and fails. Im not quite sure what to type to get failure login alerts. Could you please help me out with this? Thanks in advance!
Beta Was this translation helpful? Give feedback.
All reactions