Could you perhaps post a screenshot of your rule in progress, and we can provide some suggestions for tweaking it?
OK, I see what's going on. You're very close, but you have used too many filter elements. The way the rule is written in your screenshot, it should trigger when the correlation engine sees:
- Two logins (event 529) AND
- Two failures (of any type, any event)
- All with the same Source User
- All within 2 minutes.
What you really want is to use a single filter element, with both of these conditions baked into it. Any events that match both criteria will then cause that rule element to trigger.
In addition, take a hard look at the individual authentication failure events that you're seeing from Winodws. I see you've specificaly called out Sig ID 43-211005291. There are a couple different formats for 529 login events (thanks, Microsoft), which map to several different signatures. Also, different versions of Windows use different Event IDs entirely (see, for example 4625)...so it's worth making sure that this really is the Sig ID you need. It's possible you're seeing login failure events that are parsed by a slightly different parsing rule, with a different Sig ID, that might not trigger.
A more robust way to filter for these events might be to use our Normalization taxonomy. This rule would work for any authentication failures, regardless of whether they're coming from Windows or a VPN or a Linux box.
As a final suggestion, you might consider doing the "Group By" both Source User AND Dest IP. That way, the rule will track login state for different systems individually. If the user generates a single failed VPN login and failed Windows login, grouping by Dest IP in your rule will prevent the rule from triggering. Not sure if that's important to you or not, but something to consider.
Hope you find this helpful. Welcome to the world of McAfee ESM!
Hey Scott ,
Can i add on the same filter Device Vendor = Microsoft ,
so it will only be true on Microsoft events ?
Thanks for the help so far
That looks like it should work. Things to try:
- Have you defined a Correlation Engine? It doesn't look like it based on your screenshots. Because of the modular nature of our architecture, there is no Correlation Engine running by default...you need to define it. To create a Correlation Engine, define a new Data Source (just like you did with your Win2003 box) and select Vendor = McAfee, Model = Correlation Engine. Name it "Correlation Engine", and leave the rest of the settings at defaults. Then write the configuration and push policy.
- Ensure the rule is enabled in your Correlation Engine policy. Select it from the policy tree at the top-left corner of the policy editor. then ensure the rule you're working on is enabled. New rules are disabled by default.
- If you make changes to the policy, ensure you roll out the new policy to your Correlation Engine. There is a rollout icon in the top-right corner of the Policy Editor (or select Operations/Rollout).
This should do the trick.