cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 10

Who Created an Alert Monitoring a Rule Firing Over a 24 Hour Period?

Greetings-

Has anybody managed to create an alert monitoring the number of times a rule fired over a 24 Hour period?  I am trying to count how many times a rule fired over a 24 hour period and have the alert trigger once this count is greater than a certain amount.  I understand this is possible, but would involve multiple steps and maybe a watchlist.   

9 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 10

Re: Who Created an Alert Monitoring a Rule Firing Over a 24 Hour Period?

Round 2:

There might be a way to do it with correlation workflow and watchlists, but let's start with this. Are you just looking for how many times a rule fired or are you looking for how many it fired grouped by another field (like user). If it's just times in a 24-hour period, you could configure and Alarm as such:

alarm.PNG

Highlighted
Level 7
Report Inappropriate Content
Message 3 of 10

Re: Who Created an Alert Monitoring a Rule Firing Over a 24 Hour Period?

Hello Andy -

As I had in my other post - I am looking to track any userid that has 10 failed lockouts in a 24 hour period. This type of rule is pretty straight forward in a short time period - but does not work well over 24 hours simply because of the volume of ids it has to track.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 10

Re: Who Created an Alert Monitoring a Rule Firing Over a 24 Hour Period?

It seems like there is room for a "scheduled query" sort of feature. I think we'll see something official that should do the job in the near future. In the meantime, this could be accomplished via the API if you're open to it.

Each time an account lockout event fires, an API call queries the event quantity for the past 24 hours for that user. If it is passed the threshold, then a notification could be created, like a log back to the ESM (which could have an alarm) or a direct email.

Does this seem like it could be an option for you?

Highlighted
Level 7
Report Inappropriate Content
Message 5 of 10

Re: Who Created an Alert Monitoring a Rule Firing Over a 24 Hour Period?

I would like to create this rule.  However, I am not really familiar with your approach. I would need more detail on how to create it in order to test it

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 10

Re: Who Created an Alert Monitoring a Rule Firing Over a 24 Hour Period?

Here is a script that will interface with the API to accomplish your goal. However, there is some setup involved.

1. Find somewhere for the script to live.

- As a result of an Alarm Action, a remote command can be executed with contextual arguments. The key here is "remote". The ESM is an appliance and doesn't support 3rd party code running on it. I found it was easy to install a small Linux VM just to handle my security tool patching, but anything that supports an SSH server and Python should work. (It could even be compiled into a Windows executable and run on a system with Python installed).

2. Also, Python requires an extra module called Requests. Usually this can be installed by typing 'pip install requests' but the site has the details.

3. Edit the parameters in the script. At the top are a number self-explanatory settings that need to be set.

4. Configure a Field Match Alarm in the ESM to match on your sig ID you want to be alerted on. Account Lockouts for AD are listed as 4740 so the Sig-ID is 43-263047400.

alarm-api2.PNG

5. Set the Alarm to Execute remote command and add the Signature ID and Source User fields as context (in that order).

alarm-api3.PNG

That's it.

Each time an account is locked, the ESM fires the script. The script queries the API for the given event and user for the past 24 hours. If the event count is larger than 10, send an email with the events listed.

The script is pretty ugly code. It needs to be refactored and given proper comments and error checking and have some tests written for it. I have a goal to update it and post some useful examples of how to interact with the API that folks can modify for their own needs as I can find the time.

Highlighted

Re: Who Created an Alert Monitoring a Rule Firing Over a 24 Hour Period?

This is the exact solution to solve the problem.

Highlighted
Level 7
Report Inappropriate Content
Message 8 of 10

Re: Who Created an Alert Monitoring a Rule Firing Over a 24 Hour Period?

Looking at this a little closer I see this warning on "Requests" site:

"Warning: Recreational use of other HTTP libraries may result in dangerous side-effects, including: security vulnerabilities, verbose code, reinventing the wheel, constantly reading documentation, depression, headaches, or even death.
"

Not sure I like that.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 10

Re: Who Created an Alert Monitoring a Rule Firing Over a 24 Hour Period?

Note: use of "other" libraries. Requests might save your life!    

Highlighted
Level 7
Report Inappropriate Content
Message 10 of 10

Re: Who Created an Alert Monitoring a Rule Firing Over a 24 Hour Period?

OK. I started down this path, but then Intel responded and said that in the 9.6 version this problem will be fixed. So I am planning to upgrade my environment soon and will test their response.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community