cancel
Showing results for 
Search instead for 
Did you mean: 
michal_be
Level 8

Brute force Correlation Rule

Hi guys,

I need somebody help with following Use case

Write a CRL which will capture:

7 failure logon attempts from that same Source IP, Source User in 10, 30, 60 minutes

Followed by Successful from that same Source IP, Source User in 60 minutes after previous 7 failures.

CRL are inside attachment and below is screenshot from Policy editor

There are some question:

1. Is there any sense to set separate CRL depends on Time when those 7 failed logon attempts will happen or one is enough with 60 minutes gate inside?

    Will it work that what had happen first will close this gate (Threshold or Time) and then jump to another gate?

2. Is there any sense to set sequence inside first gate (7 failures) ? From tests, amount of triggers for those with sequence in gate one is equal to those without sequence enabled

I've would like to ask also for explanation how does the Threshold and Time Windows inside AND gates work.

Those the sequence have to be used only when there is more then one match component inside gate?

Thank you in advance

Mike

0 Kudos
2 Replies
abanaru
Level 11

Re: Brute force Correlation Rule

1. Is there any sense to set separate CRL depends on Time when those 7 failed logon attempts will happen or one is enough with 60 minutes gate inside?

One is enough.

    Will it work that what had happen first will close this gate (Threshold or Time) and then jump to another gate?

If you keep the 3 correlation rules they will all fire if 7 failed logon attempts occur.

2. Is there any sense to set sequence inside first gate (7 failures) ? From tests, amount of triggers for those with sequence in gate one is equal to those without sequence enabled

No, but you need sequence for the 2nd correlation rule.

I've would like to ask also for explanation how does the Threshold and Time Windows inside AND gates work.

Threshold is the number of events and Time Window is just what it's name is :-)

Those the sequence have to be used only when there is more then one match component inside gate?

If you have a single component there's no justification to use sequence.

Also, you might be interested in creating the first correlation as a component and the second as a rule if you're not interested in firing on 7 failed attempts as well.

0 Kudos
michal_be
Level 8

Re: Brute force Correlation Rule

Hi  abanaru

Many thanks for your support that help me a lot. Currently I am testing some CRL and getting different results. I will try to troubleshoot and fix it.

If I will get stuck I will definitely back hear

0 Kudos