I need somebody help with following Use case
Write a CRL which will capture:
7 failure logon attempts from that same Source IP, Source User in 10, 30, 60 minutes
Followed by Successful from that same Source IP, Source User in 60 minutes after previous 7 failures.
CRL are inside attachment and below is screenshot from Policy editor
There are some question:
1. Is there any sense to set separate CRL depends on Time when those 7 failed logon attempts will happen or one is enough with 60 minutes gate inside?
Will it work that what had happen first will close this gate (Threshold or Time) and then jump to another gate?
2. Is there any sense to set sequence inside first gate (7 failures) ? From tests, amount of triggers for those with sequence in gate one is equal to those without sequence enabled
I've would like to ask also for explanation how does the Threshold and Time Windows inside AND gates work.
Those the sequence have to be used only when there is more then one match component inside gate?
Thank you in advance
One is enough.
If you keep the 3 correlation rules they will all fire if 7 failed logon attempts occur.
No, but you need sequence for the 2nd correlation rule.
Threshold is the number of events and Time Window is just what it's name is 🙂
If you have a single component there's no justification to use sequence.
Also, you might be interested in creating the first correlation as a component and the second as a rule if you're not interested in firing on 7 failed attempts as well.
Many thanks for your support that help me a lot. Currently I am testing some CRL and getting different results. I will try to troubleshoot and fix it.
If I will get stuck I will definitely back hear
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center
2821 Mission College Blvd.
Santa Clara, CA 95054 USA
Consumer Support | Enterprise Support | McAfee.com
Legal | Privacy | Copyright © 2019 McAfee, LLC