Very new to the SIEM. I've basically inherited it and been told to make it do something and the above question is something that has cropped up.
I would be very appreciative if someone could advise how I can complete the above please? I have tried within the alarms and under condition used Specified Event Rate - event count 3, time frame 10 minutes and within the filter I have specified the Signature ID. I can see a field for source user but don't know how to tell this field, the same user within the certain time frame (see attached). Am I barking up the wrong tree here? I've seen something similar done in correlation but in all honesty, haven't got anywhere near there yet.
As mentioned above, I would be extremely grateful for any assistance.
Hi and thanks for the response.
I've done a bit of looking into the correlation rule but still don't understand fully the process for creation. Would you be willing to give a step-by-step guide (or advise where I could find one that is suitable to my needs) please?
Thanks in advance for your assistance.
First, I recommend understanding what you are looking for. At the Default Summary, use the filters to the right and select Normalization, then select authentication->Login->and select host login. You can stay at the Login level, but you will get logins for IIS, email, routers and other devices. You may not want that
Next, select Event Type, and put in Failure. This will give a view of failed logins
Now when you run that filter query, you will have an idea of how many or few data points match your query
Next, go to the top and click on the correlation tab. This will bring up all correlation rules I find it easier to use an existing rule rather than create one from scratch. Note that you cannot modify an out of the box rule: you would need to copy and paste one. Fro sake of simplicyity, all we are going to do is modify the parameters, so we wont need to copy and paste.
Scroll down until you see Login - Multiple Failed Login Attempts
when you click on the rule, it looks like this
Note the rule matches is some sense the filters you applied. We are looking for a normailization of login, and the event subtype is failure.
The other fields (context in external to internal) are set when you add your local IP to the variable local network under Asset Manager
If you click on parameters (above) you see this:
Change the Number of Events to 3, save and you are on your way.
Once created, I would let the rule run to see how many you get. Then, if it looks like you are not innundated with these events, you can create an alarm. Under alarms, you can select Field Match or Internal Event Match. If an internal event match, you will alert on the signature ID of the correlation rule
If you alarm on Field Match, you need to create the rule you saw above. I recommend the product guide on alarms
There is a lot more to correlation, and I recommend looking at the user guide for reference
Hope this helps a little