6 Replies Latest reply on Jan 6, 2013 1:36 PM by morihei

    dynamic watchlist - source IP



      is there any way how to accomplish this scenario: if some event X is triggered then show some variables from event X and also from event Y?


      Here is example: someone (non-authorized person) is trying to access admin interface of network device

      Output: (1) when it happened, (2) from which IP address the user tried to connect, (3) who was logged in and (4) what username was used to access management interface


      (1),(2) and (4) are obvious from "Login failed" event. But if I want to know (3), I need to search it manually in different event (eg. Windows WMI log) according to IP address.


      Is there any way how to "combine" these events into one so I can get the info instanlly and use it in report?


      It seems that watchlist could be a solution, but I didn't figure out, how to dynamicly add source IPs from event X to the watchlist, which could then be used as filter in new query.





        • 1. Re: dynamic watchlist - source IP

          Hi morihei


          One way to do this is first create a correlation rule to detect this activity and then add signature ID of that rule in the watchlist or alternatively set an alarm. This way you don't need to worry about adding dynamic source IP in the watchlist.


          Are you trying to monitor failed or successful login attempts to a device at the same time or successful login attemtp after failed attempts? Or is there some thing else you want to do? I can show you a sample rule if you can clear this point.




          Message was edited by: nadeemvirk on 1/4/13 1:30:49 AM CST
          • 2. Re: dynamic watchlist - source IP

            Hi nadeem,

            actually, I don't need to create correlation rule as one of the signature ID already detects this activity. Im trying to monitor any failed login attempts and then try to find out, what user caused this. But for this I need to take source IP address from singature ID=X (this one detect the failed login activity) and use it in signature ID=Y (this one shows me what user uses specific source IP). And I want to achieve this automatically. Any ideas?



            • 3. Re: dynamic watchlist - source IP

              Hi morihei,


              If you want you can create a third rule that calls both rules i.e. with signature ID X and singature ID Y and then bind them with the source IP.



              This rule will give you the source IP address that is used in both signature ID X and signature ID Y (you can set specific time interval as well). You can then use the signature ID of this third rule to generate your report. I am not sure if this is what you want. If not can you show me detail of both rules with signature ID X and signature ID Y?




              Message was edited by: nadeemvirk on 1/4/13 2:27:49 AM CST
              • 4. Re: dynamic watchlist - source IP

                Hi nadeem,

                thanks, this is useful and it's almost perfect. But unfortunatelly signature ID 43-263046240 (An account was successfully logged on.) shows different source user in events: either logged-in user or hostname:


                Here, it shows username:



                Here, it shows hostname:



                and in correlated event it shows value from last event for Sig ID 43-263046240, which is the hostname.



                Is there any way how to add more events from SigID 43-263046240 to correlated event, so event with username will be aslo included?


                Also, side effect of correlated event is that it populates values from fields from last source event, thus source username from event "Cisco_IOS SEC Login Failed" is missed in details of correlated event, thus can't be reported.




                Message was edited by: morihei on 1/4/13 6:16:39 AM CST
                • 5. Re: dynamic watchlist - source IP

                  Hi morihei,


                  Actually this correlation rule is generic and should automatically include all events of SigID 43-263046240 those showing the username as well as hostname. The problem we are having here is that a login attempt generates more than one event. Try this, in the Group By field add username along with the Source IP. See the results whether the rule triggers with required results or not. If not a little more optimization of the rule would be required.




                  • 6. Re: dynamic watchlist - source IP

                    Hi nadeem,

                    I tried to use your suggestion and add username in the Group by field. Unfortunatelly, it didn't trigger the correlated event. Thus, I tried to modify filter for Sig ID 43-263046240 - added Source User as another match condition (UsrIDSrc (In) Domain Users.Users) but this also didn't trigger the correlated event, because it used last Sig ID 43-263046240 event again, where is hostname instead of username. Is there any option how to specify how many events from the same signature should be checked against the filter condition?