I need to create two rules that will alert on brute force attacks within specific time frame, one from the same source, and another one from the same user ID.
I see the rule "Continuous Excessive Logon Failures" template however I am unsure how to modify this rule to add the necessary parameter - from the same source.
These rules would be separate rules - IE one rule containing the same source, another rule containing the same user ID.
Any ideas would be appreciated.