2 Replies Latest reply on Jul 15, 2014 5:35 AM by japie

    EPO Correlation Rule - Repeated malware from a single user over time.

    japie

      Hi Folks

       

      Has anyone manage to build a rule to use in reporting detecting repeated offenders overtime producing a montly report on it ?

       

      - I have tried using the normalization malware criteria monitoring the  destination user.

      - Also tried defining all the relevant signature ID's and threat category (av.detect) monitoring the destination user with define time/day paremeters.

       

      Is there anyone out there doing anything similiar with mining ePO data?

       

      Thanks,

      Japie

        • 1. Re: EPO Correlation Rule - Repeated malware from a single user over time.
          acommons

          You might try something like this:

           

          • Insert the destination user into a watchlist with a timeout equal to your period of interest.
          • Update the list on each malware event to refresh the timer.
          • Create a correlation rule that fires if the user is in the list and the time since the last event is greater than, say, 30 minutes...and I'm not sure how this bit would be done without trying it.

           

          You need to put a delay in before triggering the correlation rule to take into account the fact that many events come in short bursts triggered by a single user action.

           

          cheers

          Andrew

          • 2. Re: EPO Correlation Rule - Repeated malware from a single user over time.
            japie

            Thanks for your response Andrew I will be looking into your recommendation and creating a test rule.

             

            So far I managed to get the rule to trigger with the attached configuration, monitoring the destination field.

            The objective of this rule is to monitor repeat offenders and trend the data based on BU etc.

            I will still dig around more. If anyone has something similiar working please share the information.

             

             

            Thanks,

            Japierule_1.PNG