Can anybody suggest how to use a Watch-list with a rule. I am interested in knowing how to populate a watch-list dynamically by the rules.
The scenario is, we are observing a high number of brute force attempts on my external servers in our network from various locations across the world. I am trying to configure a rule that will populate the watch-list with the user name, each time there is a logon failure attempt made.
To achieve this, should I configure a dynamic or static watch-list?
What should be configured initially, a policy or a watch-list?
Has anyone tried this, kindly share your views on how to achieve this.
Rules, by themselves, cannot update a watchlist. What you want is to configure an alarm. Set up a static watchlist to contain your list of user IDs. Your alarm should have a triggering condition of "Field Match / Signature ID = [Sig ID of the failed login event]" Action should be "Update Watchlist".
A few things to watch out for from recent experience:
I think I now have everything working.....
The watchlist will not get duplicate entries, it de-dupes itself.
All I have done in my implementation is reduce the number of correlation events and associated alarms by adding a condition that verifies that the entry is not in the watchlist before the correlation event is generated. The correlation event then triggers the alarm that adds the new entry into the watchlist and stops further alarms for that value being generated.
I am still seeing more correlation events than I expected but the numbers are significantly less than the raw events and, at present, I'm putting this down to polling and scheduling delays'
Hope thgis helps.