cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 7

Simple Correlation Tutorial?

Hey Guys ,

Ive been in the SIEM buisness for quite a while now (6 + years and counting 😜 )

Ive chwed and eaten - ArcSight , Alienvault , Symantec , Q1 And a few other (loggers).

I recently got the Timebombed version of the ESM in order to test for a few clients .

Setting up the reciever is quite easy and painless , however - when trying to create a Simple rule (2 failed logons by the same user on a windows system) - the rule will just not trigger ,

i tried changing it via normalization filter , via message context - but NADA.

it just wont trigger , although the events are pouring in correctly ,

Any heads up ?

Thanks

6 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 7

Re: Simple Correlation Tutorial?

Could you perhaps post a screenshot of your rule in progress, and we can provide some suggestions for tweaking it?

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 7

Re: Simple Correlation Tutorial?

Sure thing - Screenshot attached

The signature ID is a signature for event id 529 - local failed logon on windows (2003)

failedlogon.png

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 7

Re: Simple Correlation Tutorial?

OK, I see what's going on.  You're very close, but you have used too many filter elements.  The way the rule is written in your screenshot, it should trigger when the correlation engine sees:

  • Two logins (event 529) AND
  • Two failures (of any type, any event)
  • All with the same Source User
  • All within 2 minutes.

What you really want is to use a single filter element, with both of these conditions baked into it.  Any events that match both criteria will then cause that rule element to trigger.

In addition, take a hard look at the individual authentication failure events that you're seeing from Winodws.  I see you've specificaly called out Sig ID 43-211005291.  There are a couple different formats for 529 login events (thanks, Microsoft), which map to several different signatures.  Also, different versions of Windows use different Event IDs entirely  (see, for example 4625)...so it's worth making sure that this really is the Sig ID you need.  It's possible you're seeing login failure events that are parsed by a slightly different parsing rule, with a different Sig ID, that might not trigger. 

A more robust way to filter for these events might be to use our Normalization taxonomy.  This rule would work for any authentication failures, regardless of whether they're coming from Windows or a VPN or a Linux box.

7-31-2013 6-34-51 AM.gif

As a final suggestion, you might consider doing the "Group By" both Source User AND Dest IP.  That way, the rule will track login state for different systems individually.  If the user generates a single failed VPN login and failed Windows login, grouping by Dest IP in your rule will prevent the rule from triggering.  Not sure if that's important to you or not, but something to consider.

Hope you find this helpful.  Welcome to the world of McAfee ESM!

Scott

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 7

Re: Simple Correlation Tutorial?

Hey Scott ,

Can i add on the same filter Device Vendor = Microsoft ,

so it will only be true on Microsoft events ?

BTW

Thanks for the help so far

Message was edited by: m0teki on 7/31/13 7:14:27 AM CDT
Former Member
Not applicable
Report Inappropriate Content
Message 6 of 7

Re: Simple Correlation Tutorial?

Hey Scott ,

Even after the change - rule still does not trigger :S

correlation2.png

Former Member
Not applicable
Report Inappropriate Content
Message 7 of 7

Re: Simple Correlation Tutorial?

That looks like it should work.  Things to try:

  • Have you defined a Correlation Engine?  It doesn't look like it based on your screenshots.  Because of the modular nature of our architecture, there is no Correlation Engine running by default...you need to define it.  To create a Correlation Engine, define a new Data Source (just like you did with your Win2003 box) and select Vendor = McAfee, Model = Correlation Engine.  Name it "Correlation Engine", and leave the rest of the settings at defaults.  Then write the configuration and push policy.

  • Ensure the rule is enabled in your Correlation Engine policy.  Select it from the policy tree at the top-left corner of the policy editor.  then ensure the rule you're working on is enabled.  New rules are disabled by default.

8-1-2013 12-51-05 AM.jpg

  • If you make changes to the policy, ensure you roll out the new policy to your Correlation Engine.   There is a rollout icon in the top-right corner of the Policy Editor (or select Operations/Rollout).

This should do the trick. 

Scott

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community