6 Replies Latest reply on Aug 1, 2013 1:03 AM by Scott Taschler

    Simple Correlation Tutorial?

      Hey Guys ,

      Ive been in the SIEM buisness for quite a while now (6 + years and counting ;P )

      Ive chwed and eaten - ArcSight , Alienvault , Symantec , Q1 And a few other (loggers).

       

      I recently got the Timebombed version of the ESM in order to test for a few clients .

      Setting up the reciever is quite easy and painless , however - when trying to create a Simple rule (2 failed logons by the same user on a windows system) - the rule will just not trigger ,

      i tried changing it via normalization filter , via message context - but NADA.

       

      it just wont trigger , although the events are pouring in correctly ,

       

      Any heads up ?

       

      Thanks

        • 1. Re: Simple Correlation Tutorial?
          Scott Taschler

          Could you perhaps post a screenshot of your rule in progress, and we can provide some suggestions for tweaking it?

          • 2. Re: Simple Correlation Tutorial?

            Sure thing - Screenshot attached

            The signature ID is a signature for event id 529 - local failed logon on windows (2003)

            failedlogon.png

            • 3. Re: Simple Correlation Tutorial?
              Scott Taschler

              OK, I see what's going on.  You're very close, but you have used too many filter elements.  The way the rule is written in your screenshot, it should trigger when the correlation engine sees:

               

              • Two logins (event 529) AND
              • Two failures (of any type, any event)
              • All with the same Source User
              • All within 2 minutes.

               

              What you really want is to use a single filter element, with both of these conditions baked into it.  Any events that match both criteria will then cause that rule element to trigger.

               

              In addition, take a hard look at the individual authentication failure events that you're seeing from Winodws.  I see you've specificaly called out Sig ID 43-211005291.  There are a couple different formats for 529 login events (thanks, Microsoft), which map to several different signatures.  Also, different versions of Windows use different Event IDs entirely  (see, for example 4625)...so it's worth making sure that this really is the Sig ID you need.  It's possible you're seeing login failure events that are parsed by a slightly different parsing rule, with a different Sig ID, that might not trigger. 

               

              A more robust way to filter for these events might be to use our Normalization taxonomy.  This rule would work for any authentication failures, regardless of whether they're coming from Windows or a VPN or a Linux box.

               

              7-31-2013 6-34-51 AM.gif

              As a final suggestion, you might consider doing the "Group By" both Source User AND Dest IP.  That way, the rule will track login state for different systems individually.  If the user generates a single failed VPN login and failed Windows login, grouping by Dest IP in your rule will prevent the rule from triggering.  Not sure if that's important to you or not, but something to consider.

               

              Hope you find this helpful.  Welcome to the world of McAfee ESM!

               

              Scott

              • 4. Re: Simple Correlation Tutorial?

                Hey Scott ,

                Can i add on the same filter Device Vendor = Microsoft ,

                so it will only be true on Microsoft events ?

                 

                BTW

                Thanks for the help so far

                 

                Message was edited by: m0teki on 7/31/13 7:14:27 AM CDT
                • 5. Re: Simple Correlation Tutorial?

                  Hey Scott ,

                  Even after the change - rule still does not trigger :S

                  correlation2.png

                  • 6. Re: Simple Correlation Tutorial?
                    Scott Taschler

                    That looks like it should work.  Things to try:

                     

                    • Have you defined a Correlation Engine?  It doesn't look like it based on your screenshots.  Because of the modular nature of our architecture, there is no Correlation Engine running by default...you need to define it.  To create a Correlation Engine, define a new Data Source (just like you did with your Win2003 box) and select Vendor = McAfee, Model = Correlation Engine.  Name it "Correlation Engine", and leave the rest of the settings at defaults.  Then write the configuration and push policy.

                     

                     

                     

                    • Ensure the rule is enabled in your Correlation Engine policy.  Select it from the policy tree at the top-left corner of the policy editor.  then ensure the rule you're working on is enabled.  New rules are disabled by default.

                     

                    8-1-2013 12-51-05 AM.jpg

                     

                    • If you make changes to the policy, ensure you roll out the new policy to your Correlation Engine.   There is a rollout icon in the top-right corner of the Policy Editor (or select Operations/Rollout).

                     

                    This should do the trick. 

                     

                    Scott