I have been attempting to create a correlation rule that would fire based off a watchlist for most of this week with little success. The watchlist is populating with the admins I want to monitor correctly but this rule never fires.
I have removed the time of day, the sub type everything I can think of to see if this is firing with the broadest parameters. It is not. I've rolled it out and made an alarm based off this rules Signature ID. One of the admin accounts fires constantly (another issue entirely) so I should see data within a half hour.
What am I doing wrong in either the correlation creation process, rolling out the rule or something totally unforeseen?
The documentation available, again unless I'm mistaken, is not detailed regarding nuance. Furthermore I have no been able to find anything within the community, but I'm still researching. If there is information I can provide to help please feel free to let me know as this is a time sensitive matter.
Yes correlation rules do fire.
Some of the verbiage I've read is that inside the ACE component (we do not have this) default is "disable" and after rolling out it needs to be enabled for it to work.
I've created a view just to see if the watchlist data populates and I see the data I'm looking for....
Thanks for the tip on Group By. Very frustrated this is not working yet.
Yep I actually got it working for the better part of last night.
I ended up changing the format:
So clearly right now I have no timeframe involved with this Correlation rule. I did it in the broadest sense I could think of. I rolled it out to everything and applied the alarm to every device.
What troubles me is a couple things. Why is it when I roll it out to say just the windows servers and workstations it doesnt work when that's all these admins on the watchlist are logging into to generate the alert in the first place. Second and for the exact same reason do I have to apply every device in the conditions part of the alarm for it to fire? I should be able to specify specific devices etc.
Why is it when I roll it out to say just the windows servers and workstations it doesnt work when that's all these admins on the watchlist are logging into to generate the alert in the first place.
What's the error?
Second and for the exact same reason do I have to apply every device in the conditions part of the alarm for it to fire? I should be able to specify specific devices etc.
It will do all devices by default, you can explicitly include device so the rule fire on events that occurred on that particular device only.
There is a variable called working hours, but it's in GMT, so make sure you convert it into your time zone for working hours. Can add this into the top logical group.
Yes I know that's the case regarding both the variable and GMT.
The rule itself is for non-working hour logins (whether a success or failure) so inside the component I've been adding in "Time of Day" and then 1000 to 0500 hours.
I'm more concerned with the issues I'm seeing in the rollout and the alarm in terms of having to deploy it to everything for it to work correctly.
The client I'm working with doesn't have the ACE (device/appliance...component?). Would that affect anything and/or limit ones ability to implement correlation rules?