cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
r_gine
Level 9
Report Inappropriate Content
Message 1 of 3

VPN "Super Human" Use Case

I'm trying to build an alert that triggers if I see a user attempt to login to our VPN from two different "regions" within a three-hour window. I have the logic built but in the correlation rules "Advanced Options" I try to set a 'Distinct values' of 2 but the monitored fields only seems to provide a 'Source Geo location' option, and not ability to select state, region, country, etc.
2 Replies
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: VPN "Super Human" Use Case

Group by "Source User". Otherwise events are treated individually. Also... unfortunately, this is the only way to do this, you can't select by the "distance" in anyway with the built in tools.

Brent
r_gine
Level 9
Report Inappropriate Content
Message 3 of 3

Re: VPN "Super Human" Use Case

That's too bad - because you can "Drill into" state, country, region, etc... but I guess your cannot use that for logic in a correlation rule... to bad. 

more limitations..

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator