Showing results for 
Search instead for 
Did you mean: 

Using watch-list with rules

Hi All,

Can anybody suggest how to use a Watch-list with a rule. I am interested in knowing how to populate a watch-list dynamically by the rules.

The scenario is, we are observing a high number of brute force attempts on my external servers in our network from various locations across the world. I am trying to configure a rule that will populate the watch-list with the user name, each time there is a logon failure attempt made.

To achieve this, should I configure a dynamic or static watch-list?

What should be configured initially, a policy or a watch-list?

Has anyone tried this, kindly share your views on how to achieve this.


Message was edited by: siddarth_t on 1/2/14 5:45:40 AM CST
4 Replies

Re: Using watch-list with rules

Rules, by themselves, cannot update a watchlist.  What you want is to configure an alarm.  Set up a static watchlist to contain your list of user IDs.  Your alarm should have a triggering condition of "Field Match / Signature ID = [Sig ID of the failed login event]"  Action should be "Update Watchlist".


Re: Using watch-list with rules

A few things to watch out for from recent experience:

  1. Just alarming on the event is going to give you a lot of alarms. I used a correlation rule to trigger when an event occurs that does not have an entry in the watchlist. So in your case that would be when the user name is not in the watch list.
  2. To get this to work I had to put ALL the conditions in a single filter rule for the correlation...splitting them across different rules and using the AND function did not work.
  3. The alarm would not trigger on the correlation rule until I had selected the Correlation Engine in the Device panel in the Alarm Settings. No tick in the box in Deveices then no Alarm it seems.

I think I now have everything working.....



Re: Using watch-list with rules

Hi Andrew,

Could you please explain in brief, on how to make sure that the watch-list doesn't contain duplicate entires.



Re: Using watch-list with rules

The watchlist will not get duplicate entries, it de-dupes itself.

All I have done in my implementation is reduce the number of correlation events and associated alarms by adding a condition that verifies that the entry is not in the watchlist before the correlation event is generated. The correlation event then triggers the alarm that adds the new entry into the watchlist and stops further alarms for that value being generated.

I am still seeing more correlation events than I expected but the numbers are significantly less than the raw events and, at present, I'm putting this down to polling and scheduling delays'

Hope thgis helps.