cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
r_gine
Level 9
Report Inappropriate Content
Message 1 of 3

VPN "Super Human" Use Case

I'm trying to build an alert that triggers if I see a user attempt to login to our VPN from two different "regions" within a three-hour window. I have the logic built but in the correlation rules "Advanced Options" I try to set a 'Distinct values' of 2 but the monitored fields only seems to provide a 'Source Geo location' option, and not ability to select state, region, country, etc.
2 Replies
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: VPN "Super Human" Use Case

Group by "Source User". Otherwise events are treated individually. Also... unfortunately, this is the only way to do this, you can't select by the "distance" in anyway with the built in tools.

Brent
r_gine
Level 9
Report Inappropriate Content
Message 3 of 3

Re: VPN "Super Human" Use Case

That's too bad - because you can "Drill into" state, country, region, etc... but I guess your cannot use that for logic in a correlation rule... to bad. 

more limitations..

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.