1 Reply Latest reply on Nov 8, 2017 3:48 PM by akerr

    Question about Alarms - Maximum Condition Trigger Frequency


      I have a question about the 'Maximum Condition Trigger Frequency' setting for ESM Alarms.


      In my scenario I have an alarm that is matching on a signature ID. (In this case suspicious DNS connections). Every now and again we run into cases were we see high volume DNS lookups to domains we are monitoring for. In cases like this we would not want the alarm to trigger hundreds of times. For our particular use-case this alarm also generates a case and has resulted in dozens of cases being created.


      Is the condition trigger frequency bases strictly on the alarm match criteria itself? So if we're matching on a signature ID and set a trigger frequency of 12 hours and within that 12 hour period we see three different events for that signature ID (Example: 1 DNS lookup for badsite.com, 5,000 DNS lookups to anotherbadsite.com, and 4 lookups for notabadsite.com) would all of those fall within the same 'Alarm' alert? Or does ESM know the Alarm for 'anotherbadsite.com' while triggered by the same signature ID value, is in fact different than the other two events?


      Ultimately what I would like to do is limit the number of alarms and in some instances the subsequent creation of cases that are generated when high-volume events start to generate.


      Real life example:


      We have a ACE rule that detects DNS requests to non-corporate owned DNS servers. We have an alarm for this correlation rule and subsequently create a case for each alarm. On a Friday evening IT installed a new VoIP system without updating the config to use our internal DNS servers. On Monday morning we had thousands of alarms and nearly 100 cases that were created.


      This could have potentially been avoided by upping the 'threshold' for the trigger frequency however I would not want to miss other "Unauthorized DNS connection" events by having those roll into the same alarm.


      Hope this makes sense. Thanks!

        • 1. Re: Question about Alarms - Maximum Condition Trigger Frequency

          What we've done in similar situations is to use a watchlist in the alarm. 


          So say in this case you alerting on a source IP list that is looking up badsite.com. 

          First, create a static watchlist, something like "IPs for Bad DNS Lookups" where values expiry with an appropriate time.  I'd say in your case anywhere from an hour to 24 hours is probably appropriate.


          Now, in  your alarm, since you're using a correlation rule for most of the logic, you'd just add another filter (with an AND clause) saying Signature ID In  (your correlation rule) AND Source IP Not In "IPs for Bad DNS Lookups" and under Actions, add the Source IP to the watchlist.


          This does a couple of things I really like.  First, it stops the alarm from firing an absurd number of times for the same host, but will let you know all hosts that have it happening.  However, the Correlation Rule will fire every time.  That way, when you go to investigate, you can just quickly look at that correlation rule and filter by that host IP if you want, to see how much it has been happening since the alarm fired.