Hi folks,
Im very very new in LEM, I started to work with this SIEM this week and my boss tell me to conduct a demo with a customer next week.
So, i did configured an Cisco ASA connector and active response, initatite a Scan attack with Metasploit and Nmap, did a correlation rule for TCP traffic and the LEM shuns the attacker IP automatically at the ASA. Works Nice.
My second part of the demo is to shutdown o restart a windows server with the LEM agent installed, when the Administrator account has serveral login failures. I used the critical account logon failure template, and modify it with the action of shutdown machine. I started a remote desktop session , put a wrong password several time, but neither the alert or the shutdown action takes effect. If I manually goes and look for the userlogonfailure event and select the shutdown respond, the machine is correctly shutdown, so the communication between the LEM and agent i think is working fine.
Any ideas why the rule dont fired with the right action? Im using the UserLogonFailure.DetectionIP as the agent field in the rule.
Regards.