Advice need to tune rule Multiple login Failures for single username.
We have over 100,000 users. I have whitelisted scanners and known service accounts.
I am unable to track down every user account that have multiple login failures. Any suggestions other than to add users to whitelist.
I have also set the alert not fire unless x number of events from the same username in x minutes. Thanks
We have over 100,000 users. I have whitelisted scanners and known service accounts.
I am unable to track down every user account that have multiple login failures. Any suggestions other than to add users to whitelist.
I have also set the alert not fire unless x number of events from the same username in x minutes. Thanks
This dW Answers question is about an IBM document with the Title:
QRadar Open Mic #24: Let’s talk about tuning QRadar – 16 May 2017