cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Create an alert when a user unsuccessfully logs on 3 times within 10 minutes

Hello everyone.

Very new to the SIEM. I've basically inherited it and been told to make it do something and the above question is something that has cropped up.

I would be very appreciative if someone could advise how I can complete the above please? I have tried within the alarms and under condition used Specified Event Rate - event count 3, time frame 10 minutes and within the filter I have specified the Signature ID. I can see a field for source user but don't know how to tell this field, the same user within the certain time frame (see attached). Am I barking up the wrong tree here? I've seen something similar done in correlation but in all honesty, haven't got anywhere near there yet.

As mentioned above, I would be extremely grateful for any assistance.

Many thanks,

Nick

4 Replies
dzh01
Level 9
Report Inappropriate Content
Message 2 of 5

Re: Creat an alert when a user unsuccessfully logs on 3 times within 10 minutes

I'd go ahead and make this a correlation rule instead of an alarm.

Re: Creat an alert when a user unsuccessfully logs on 3 times within 10 minutes

Hi and thanks for the response.

I've done a bit of looking into the correlation rule but still don't understand fully the process for creation. Would you be willing to give a step-by-step guide (or advise where I could find one that is suitable to my needs) please?

Thanks in advance for your assistance.

rgarrett
Level 9
Report Inappropriate Content
Message 4 of 5

Re: Create an alert when a user unsuccessfully logs on 3 times within 10 minutes

First, I recommend understanding what you are looking for. At the Default Summary, use the filters to the right and select Normalization, then select  authentication->Login->and select host login.  You can stay at the Login level, but you will get logins for IIS, email, routers and other devices.  You may not want that

correlation1.png

Next, select Event Type, and put in Failure.  This will give a view of failed logins

correlation2.png

Now when you run that filter query, you will have an idea of how many or few data points match your query

Next, go to the top and click on the correlation tab. This will bring up all correlation rules  I find it easier to use an existing rule rather than create one from scratch.  Note that you cannot modify an out of the box rule: you would need to copy and paste one.  Fro sake of simplicyity, all we are going to do is modify the parameters, so we wont need to copy and paste.

Scroll down until you see Login - Multiple Failed Login Attempts

when you click on the rule, it looks like this

correlaton_4.png

Note the rule matches is some sense the filters you applied.  We are looking for a normailization of login, and the event subtype is failure.

The other fields (context in external to internal) are set when you add your local IP to the variable local network under Asset Manager

If you click on parameters (above) you see  this:

correlation5.png

Change the Number of Events to 3, save and you are on your way.

Once created, I would let the rule run to see how many you get.  Then, if it looks like you are not innundated with these events, you can create an alarm. Under alarms, you can select Field Match or Internal Event Match.  If an internal event match, you will alert on the signature ID of the correlation rule

correlaton6.png

corrlation7.png

If you alarm on Field Match, you need to create the rule you saw above.  I recommend the product guide on alarms

There is a lot more to correlation, and I recommend looking at the user guide for reference

Hope this helps a little

Re: Create an alert when a user unsuccessfully logs on 3 times within 10 minutes

Many thanks for this! it is very much appreciated. Will certainly get me pointed in the right direction.

Thanks again!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community