cancel
Showing results for 
Search instead for 
Did you mean: 
japie
Level 9
Report Inappropriate Content
Message 1 of 3

EPO Correlation Rule - Repeated malware from a single user over time.

Hi Folks

Has anyone manage to build a rule to use in reporting detecting repeated offenders overtime producing a montly report on it ?

- I have tried using the normalization malware criteria monitoring the  destination user.

- Also tried defining all the relevant signature ID's and threat category (av.detect) monitoring the destination user with define time/day paremeters.

Is there anyone out there doing anything similiar with mining ePO data?

Thanks,

Japie

2 Replies

Re: EPO Correlation Rule - Repeated malware from a single user over time.

You might try something like this:

  • Insert the destination user into a watchlist with a timeout equal to your period of interest.
  • Update the list on each malware event to refresh the timer.
  • Create a correlation rule that fires if the user is in the list and the time since the last event is greater than, say, 30 minutes...and I'm not sure how this bit would be done without trying it.

You need to put a delay in before triggering the correlation rule to take into account the fact that many events come in short bursts triggered by a single user action.

cheers

Andrew

japie
Level 9
Report Inappropriate Content
Message 3 of 3

Re: EPO Correlation Rule - Repeated malware from a single user over time.

Thanks for your response Andrew I will be looking into your recommendation and creating a test rule.

So far I managed to get the rule to trigger with the attached configuration, monitoring the destination field.

The objective of this rule is to monitor repeat offenders and trend the data based on BU etc.

I will still dig around more. If anyone has something similiar working please share the information.

Thanks,

Japierule_1.PNG