cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
siddarth_t
Level 7
Report Inappropriate Content
Message 1 of 5
‎01-02-2014 03:44 AM

Using watch-list with rules

Hi All,

Can anybody suggest how to use a Watch-list with a rule. I am interested in knowing how to populate a watch-list dynamically by the rules.

The scenario is, we are observing a high number of brute force attempts on my external servers in our network from various locations across the world. I am trying to configure a rule that will populate the watch-list with the user name, each time there is a logon failure attempt made.

To achieve this, should I configure a dynamic or static watch-list?

What should be configured initially, a policy or a watch-list?

Has anyone tried this, kindly share your views on how to achieve this.

Regards,
Siddarth

Message was edited by: siddarth_t on 1/2/14 5:45:40 AM CST
0 Kudos
Reply
4 Replies
staschler
Level 13
Report Inappropriate Content
Message 2 of 5
‎01-02-2014 06:11 AM

Re: Using watch-list with rules

Rules, by themselves, cannot update a watchlist.  What you want is to configure an alarm.  Set up a static watchlist to contain your list of user IDs.  Your alarm should have a triggering condition of "Field Match / Signature ID = [Sig ID of the failed login event]"  Action should be "Update Watchlist".

Scott

0 Kudos
Reply
acommons
Level 11
Report Inappropriate Content
Message 3 of 5
‎01-02-2014 01:37 PM

Re: Using watch-list with rules

A few things to watch out for from recent experience:

  1. Just alarming on the event is going to give you a lot of alarms. I used a correlation rule to trigger when an event occurs that does not have an entry in the watchlist. So in your case that would be when the user name is not in the watch list.
  2. To get this to work I had to put ALL the conditions in a single filter rule for the correlation...splitting them across different rules and using the AND function did not work.
  3. The alarm would not trigger on the correlation rule until I had selected the Correlation Engine in the Device panel in the Alarm Settings. No tick in the box in Deveices then no Alarm it seems.

I think I now have everything working.....

Cheers,

Andrew

0 Kudos
Reply
siddarth_t
Level 7
Report Inappropriate Content
Message 4 of 5
‎01-02-2014 07:20 PM

Re: Using watch-list with rules

Hi Andrew,

Could you please explain in brief, on how to make sure that the watch-list doesn't contain duplicate entires.

Regards,

Siddarth

0 Kudos
Reply
acommons
Level 11
Report Inappropriate Content
Message 5 of 5
‎01-02-2014 08:17 PM

Re: Using watch-list with rules

The watchlist will not get duplicate entries, it de-dupes itself.

All I have done in my implementation is reduce the number of correlation events and associated alarms by adding a condition that verifies that the entry is not in the watchlist before the correlation event is generated. The correlation event then triggers the alarm that adds the new entry into the watchlist and stops further alarms for that value being generated.

I am still seeing more correlation events than I expected but the numbers are significantly less than the raw events and, at present, I'm putting this down to polling and scheduling delays'

Hope thgis helps.

cheers,

Andrew

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC