5 Replies Latest reply on Oct 23, 2013 10:41 AM by hybridsaber

    Setup an ALARM for Failed Logon Attempts.

    pfabrizi

      I am trying to setup an alarm for failed logon signature ID: 43-263046250 based on it failing more than 10 times in a 30 minute period from a particular data source.

       

      Any help on this would be greatly appreciated.

       

      Thanks!

        • 1. Re: Setup an ALARM for Failed Logon Attempts.
          lichnt

          I think it is not difficult :

          01.png

          02.png

          03.png

          04.png

          05.png

          06.png

          • 2. Re: Setup an ALARM for Failed Logon Attempts.
            rth67

            You will need to setup a Correlation Rule to look for the Signature ID, then set the "Paramaters" for Event Count of 10 and Time Window of 30 Minutes, once the Rule is enabled on a Correlation Engine and the Policy is applied, create an Alarm based on the Signature ID of the Correlation Rule.

             

            Typically you will want to group by User ID or possibly by Source IP for Failed Logins, so if a given user fails "x" login's in "y" minutes, then trigger the rule, or if the same "Source IP" fails "x" logins in "y" minutes.

             

            When setting up your Correlation Rule, you can set the Severity and an associated Normalization ID as well.

             

            The ability to have 2 or 3 variables / options in a basic Alarm is something that will hopefully be coming in a future release.

             

            Correlation Rule.png

             

            Rule Parameters.png

            • 3. Re: Setup an ALARM for Failed Logon Attempts.
              hybridsaber

              How would I be able to use this alarm but modify it so that I don't get a trigger when machine accounts (accounts with $ in them) hit?  I assume this would require a change to the correlation rule, but not sure how best to filter out anything with a $ in it....

               

              Thanks!

              • 4. Re: Setup an ALARM for Failed Logon Attempts.
                rth67

                You would need to build a Dynamic Watchlist (or lists) using RegEx to look for the Computer Accounts, then in the Correllation Rule add "Source User" (NOT IN) "Watchlist"

                Dynamic Watchlists can chew up CPU cycles, as can "NOT IN" filters. I would suggest only running your Dynamic Watchlist on a weekly basis.

                As Watchlists have limits on numbers, you may have to split your computer accounts in to multiple lists if you have a large environment: 9.1.x (10,000), 9.2.x (25,000), 9.3.x (1 Million)

                Here is an example RegEx that looks for Machine Accounts beginning with the letter "A" or "a" - ^[Aa].*\$

                • 5. Re: Setup an ALARM for Failed Logon Attempts.
                  hybridsaber

                  Ahh, okay, thanks for the assist (especially the performance implications) I knew NOT IN's were bad, but wasen't sure if there was any other way around it for this use case.

                   

                  Thanks again!