• Support
  • Forums
  • Blogs

Failed AD Login Directive / alarm

MongoMongo

New Life Form
Hey Guys,

I would like to receive alarms for failed Active Directory logins. I currently have both our DC's added to OSSIM and am getting logs via NXLOG. I have created a directive as per blow screen shot but no alarms are generated. 



Capture

Has anyone else set up something similar for failed AD logins ? or can anyone see something that I might have missed ?

Thanks

Share post:

Comments

  • risk = (asset value * priority * reliability)/25

    When the risk is greater than or equal to one, this will create alarm.

    Try increasing the reliability.
  • It's much easier to install ossec (AV agent) on DC and align event priority for Auth failure events. 
    Another option would be to create custom view in SIEM events tab.
  • Thanks for the info guys, looks like it might have just been the fact that I had spaces in the rule name, used underscores instead and the rule now works. Strange :)
Sign In or Register to comment.