Hello, I have an ossec deployment with a little over 700 agents communicating. The issue I am having is that rules such as 40501 report a large number of false positives. There are a large number of brute force attacks across the environment at any given time. Whenever a legitimate user logs in the alert is triggered. I have not seen an obvious (to me) way to modify the rules, or groups to address this issue. Has anyone tackled this issue before?
Thanks
