cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Brute force Correlation Rule

Hi guys,

I need somebody help with following Use case

Write a CRL which will capture:

7 failure logon attempts from that same Source IP, Source User in 10, 30, 60 minutes

Followed by Successful from that same Source IP, Source User in 60 minutes after previous 7 failures.

CRL are inside attachment and below is screenshot from Policy editor

There are some question:

1. Is there any sense to set separate CRL depends on Time when those 7 failed logon attempts will happen or one is enough with 60 minutes gate inside?

    Will it work that what had happen first will close this gate (Threshold or Time) and then jump to another gate?

2. Is there any sense to set sequence inside first gate (7 failures) ? From tests, amount of triggers for those with sequence in gate one is equal to those without sequence enabled

I've would like to ask also for explanation how does the Threshold and Time Windows inside AND gates work.

Those the sequence have to be used only when there is more then one match component inside gate?

Thank you in advance

Mike

2 Replies
abanaru
Level 11
Report Inappropriate Content
Message 2 of 3

Re: Brute force Correlation Rule

1. Is there any sense to set separate CRL depends on Time when those 7 failed logon attempts will happen or one is enough with 60 minutes gate inside?

One is enough.

    Will it work that what had happen first will close this gate (Threshold or Time) and then jump to another gate?

If you keep the 3 correlation rules they will all fire if 7 failed logon attempts occur.

2. Is there any sense to set sequence inside first gate (7 failures) ? From tests, amount of triggers for those with sequence in gate one is equal to those without sequence enabled

No, but you need sequence for the 2nd correlation rule.

I've would like to ask also for explanation how does the Threshold and Time Windows inside AND gates work.

Threshold is the number of events and Time Window is just what it's name is 🙂

Those the sequence have to be used only when there is more then one match component inside gate?

If you have a single component there's no justification to use sequence.

Also, you might be interested in creating the first correlation as a component and the second as a rule if you're not interested in firing on 7 failed attempts as well.

Re: Brute force Correlation Rule

Hi  abanaru

Many thanks for your support that help me a lot. Currently I am testing some CRL and getting different results. I will try to troubleshoot and fix it.

If I will get stuck I will definitely back hear

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community