cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Correlation Rule - Collecting all events in past 24 hours

Hi,

I want to create a correlation rule that will collect every single matching log created (by curtain conditions of course) within a 24 hours range (per user).

meaning,

I want that the signature ID to be created only ONCE per source user, and will collect all relevant logs within 24 hours range. any suggestions?

3 Replies
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Correlation Rule - Collecting all events in past 24 hours

I sat and thought about how to answer your question... I had 3 different answers typed out and they all assumed different assumptions of what your end goal is.

Can you explain what you are trying to do in a more general sense?

Is there something after this you are trying to accomplish?

If you just want the users events over 24 hours, correlation is not what you are looking for. You want to use the reporting functionality with some grouping.

Brent

Re: Correlation Rule - Collecting all events in past 24 hours

Hi and thank you for replying!
 
my main goal is to check if events volume is "normal" before I create an alarm...
I want to detect (alert) regarding off business hours domain admins successful authentications. therefore, as a first step I want to evaluate how many times an off business event is received (per source user) in a 24 hours range, and I want it all to be collected under same signature ID
 
maybe I should consider using a report for this check, what do you think?
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: Correlation Rule - Collecting all events in past 24 hours

I think you are looking at a report here to start with.

This can easily be accomplished with a grouping (count) on 'source user' where the signature ID is the one you are looking for. I assume you are looking for a windows event? What's the ID. I will see if I can quickly build a report for you. With reports you can even do a distribution over the past days and such to find trends.

Brent
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community