cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
schrmat
Level 9
Report Inappropriate Content
Message 1 of 4

Getting notified when the ESM does not receive specific events

Hello, is it possible to receive a notification when the ESM does not receive specific events? Example: A data source sends several events per hour with user "x" as destination user to the SIEM receiver. Now something happened with the Data Source and it is not sending events with user "x" anymore for 1 hour. After that hour the data source has recovered and starts sending the event again. I would like to be notified about that hour when the SIEM did not receive the events for user "x" anymore. So the logic should be something like this: If data source "y" did not send events with "x" as destination user for "z" time (e.g. 1 hour) then send a mail. Is there a way to implement it with Alarams and Correlations? I tested it with the Correlation option "This component should only trigger if matches DO NOT occur within the timeout period specified at the logical element level" and set data source "y" and destination user "x" as filter and time "z" as "Time Window" but that did not work. I guess the Correlations only work when specific events are appearing but not if specific events are not appearing. Thanks!
3 Replies
andriir
Level 8
Report Inappropriate Content
Message 2 of 4

Re: Getting notified when the ESM does not receive specific events

The option "This component should only trigger if matches DO NOT occur within the timeout period specified at the logical element level" only works when there is another component inthe same correlation rule which matches events which DO occur.

 

For example, a data source normally sends two types of events: "user logon" and "user logoff". You can create a correlation rule to trigger when in a period of 1 hour there was at least one "user logon" event, but no "user logoff" events (with some detailed conditions if you need them).

 

The closest thing to what you need is probably an alarm with condition "Deviation From Baseline". Set the sample period to 1 hour and it should compare the number of events for past hour to the average of past 24 hours.

schrmat
Level 9
Report Inappropriate Content
Message 3 of 4

Re: Getting notified when the ESM does not receive specific events

Thank you for your quick reply and sorry for my late reply. 

I did a lot of tests in the meantime.

 

So if we work with the "Deviation From Baseline" we would have to set the value too 0% above and 100% below right?

100% below would mean 0 events I suppose.

Do we have to use "Previous" or "Last" as Time frame?

What is the difference?

When we set it to 1 hour and it is currently 2:44 PM would "Previous" mean from 1:00 PM to 2:00 PM and "Last" from 1:44 PM to 2:44 PM?

 

Independently, wouldn't it be an option to use the Correlation Rule with "This component should only trigger if matches DO NOT occur within the timeout period specified at the logical element level" and set the filter like that:

1. Data Source = x

2. Data Source = x AND Destination User = x AND "This component should only trigger if matches DO NOT occur within the timeout period specified at the logical element level"

Time Windows = 1 hour

Logical AND between the Sequence

 

Because our Data Source is still getting events but during the problem only not from one specific user.

So the Correlation Rule would trigger when the Data Source is getting events but for an hour not from that specific user.

 

Thanks!

andriir
Level 8
Report Inappropriate Content
Message 4 of 4

Re: Getting notified when the ESM does not receive specific events

>> When we set it to 1 hour and it is currently 2:44 PM would "Previous" mean from 1:00 PM to 2:00 PM and "Last" from 1:44 PM to 2:44 PM?
Correct
>> So the Correlation Rule would trigger when the Data Source is getting events but for an hour not from that specific user
Yes, this should work
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community