Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using watch-list with rules

Hi All,

Can anybody suggest how to use a Watch-list with a rule. I am interested in knowing how to populate a watch-list dynamically by the rules.

The scenario is, we are observing a high number of brute force attempts on my external servers in our network from various locations across the world. I am trying to configure a rule that will populate the watch-list with the user name, each time there is a logon failure attempt made.

To achieve this, should I configure a dynamic or static watch-list?

What should be configured initially, a policy or a watch-list?

Has anyone tried this, kindly share your views on how to achieve this.


Message was edited by: siddarth_t on 1/2/14 5:45:40 AM CST
4 Replies

Re: Using watch-list with rules

Rules, by themselves, cannot update a watchlist.  What you want is to configure an alarm.  Set up a static watchlist to contain your list of user IDs.  Your alarm should have a triggering condition of "Field Match / Signature ID = [Sig ID of the failed login event]"  Action should be "Update Watchlist".


Re: Using watch-list with rules

A few things to watch out for from recent experience:

  1. Just alarming on the event is going to give you a lot of alarms. I used a correlation rule to trigger when an event occurs that does not have an entry in the watchlist. So in your case that would be when the user name is not in the watch list.
  2. To get this to work I had to put ALL the conditions in a single filter rule for the correlation...splitting them across different rules and using the AND function did not work.
  3. The alarm would not trigger on the correlation rule until I had selected the Correlation Engine in the Device panel in the Alarm Settings. No tick in the box in Deveices then no Alarm it seems.

I think I now have everything working.....



Re: Using watch-list with rules

Hi Andrew,

Could you please explain in brief, on how to make sure that the watch-list doesn't contain duplicate entires.



Re: Using watch-list with rules

The watchlist will not get duplicate entries, it de-dupes itself.

All I have done in my implementation is reduce the number of correlation events and associated alarms by adding a condition that verifies that the entry is not in the watchlist before the correlation event is generated. The correlation event then triggers the alarm that adds the new entry into the watchlist and stops further alarms for that value being generated.

I am still seeing more correlation events than I expected but the numbers are significantly less than the raw events and, at present, I'm putting this down to polling and scheduling delays'

Hope thgis helps.



You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community