cancel
Showing results for 
Search instead for 
Did you mean: 

Most grateful for your custom rule help

1. How would you go about creating a rule to alert if a port was used outside of what is histrorically "normal"?

2. How would you create a rule to alert if a user account is created that is other than the default naming convention (for example letter followed by numbers)?

Thank you!

3 Replies

Re: Most grateful for your custom rule help

Hi,

1. Create a watchlist of "normal" ports being used and while creating rule select the watchlist and condition to be "Not In" the normal watchlist, This should work

2. I will get back to you on that

Regards,

Vinaya

Re: Most grateful for your custom rule help

Thank you. My only concern there is I would need to define the ports myself. I suspect the SIEM can leverage a deviation from baseline to alert on a port it has not historically seen. This way the determination can be made if some new software was added or if there is a security concern.

Re: Most grateful for your custom rule help

For your second question, use a Watchlist, set as dynamic and use a regex that will pick usernames that are not allowed.

Watchlists are limited to 10k (9.1) or 25k (9.2) items.

You can then use the watchlist in a correlation rules for events where accounts are created.