Has anyone manage to build a rule to use in reporting detecting repeated offenders overtime producing a montly report on it ?
- I have tried using the normalization malware criteria monitoring the destination user.
- Also tried defining all the relevant signature ID's and threat category (av.detect) monitoring the destination user with define time/day paremeters.
Is there anyone out there doing anything similiar with mining ePO data?
You might try something like this:
You need to put a delay in before triggering the correlation rule to take into account the fact that many events come in short bursts triggered by a single user action.
Thanks for your response Andrew I will be looking into your recommendation and creating a test rule.
So far I managed to get the rule to trigger with the attached configuration, monitoring the destination field.
The objective of this rule is to monitor repeat offenders and trend the data based on BU etc.
I will still dig around more. If anyone has something similiar working please share the information.