cancel
Showing results for 
Search instead for 
Did you mean: 
leone
Level 7

Siem Alarm

Jump to solution

Hi,

I've done an alarm for trigger the event with severity greater 80 and all works fine!

Now I'd like to do an alarm for trigger the event with severity greater 80 and with Event Count greater than 30

in the event field i didn't find the correct field, with the field"count" doesn't work :

has anyone a tip?

Thaks

Luca

0 Kudos
1 Solution

Accepted Solutions
xded
Level 12

Re: Siem Alarm

Jump to solution

Go to you Correlation --> new Correlation rule --> set a new AND operator --> add a filter rule with Severity > 80 ---> open the configuration of you AND operator and add your threshold by 30

Add a correlations rule Name and change the default Normalization. Save the rule and copy this Signature ID and past it in your new Alarm with the condition Internal Event match.

0 Kudos
3 Replies
xded
Level 12

Re: Siem Alarm

Jump to solution

Go to you Correlation --> new Correlation rule --> set a new AND operator --> add a filter rule with Severity > 80 ---> open the configuration of you AND operator and add your threshold by 30

Add a correlations rule Name and change the default Normalization. Save the rule and copy this Signature ID and past it in your new Alarm with the condition Internal Event match.

0 Kudos
leone
Level 7

Re: Siem Alarm

Jump to solution

Works! Many thanks

0 Kudos
auguste
Level 7

Re: Siem Alarm

Jump to solution

Hi xded,

Thank for your help. Just to be sure :

if you want to group 1 signature id (for example kerberos pre authentication failed) and 1 criteria on event count (more than 20) ,

you have to :

1) in Correlation rule, add an ADD operator; then add the signature ID filter of our rule and Severity filter > x  ?

2) Click on edit on the AND operator and select the threshold we want ?

3) Name our correlation rule and ..chosse which normalization ? (undefined could be ok ?)

4) Then save and copy the Signature ID xxx of the correlation that we've created

5) create an alarm on the signature ID xxx with Internal Event condition ?

Thank you in advance,

0 Kudos