3 Replies Latest reply on Oct 23, 2014 8:33 AM by avjana

    How to configure Beaconing Correlation Rule in SIEM ??

    avjana

      I have an requirement to configure the beaconing correlation rule..

       

      Here is an example :    Connection attempt to external Botnet category site  -  5 events for every 10 min over period of 24 hours..

       

      i can configure the rule to have 5 events in 10 Min interval.. how do we configure to run over for 24 hours period.. Any help really appreciated.. Thanks

        • 1. Re: How to configure Beaconing Correlation Rule in SIEM ??
          japie

          Hi Avjana

           

          You can try the following:

           

          Add Match component - define you criteria in here   - Botnet Cat

          Click on Parameters  - set threshold to 5 events and TimeWindow to 10min

           

          Then add a AND operator on the component and set the TimeWindow to 24H and tick the sequence box.

           

          Regards,

          Japie

          • 2. Re: How to configure Beaconing Correlation Rule in SIEM ??
            avjana

            Thank you Japie

            I did exactly what you mentioned but i didn't check on Sequence box which didnt allow me to set the time more than child .. now i click on Sequence box which allowed me to set the time to 24 hr ... Thank you very much for your response


            • 3. Re: How to configure Beaconing Correlation Rule in SIEM ??
              avjana

              Hi Japie

              it seems it didnt work for me.. i am able to see the events trigger only for 5 events in 10 min.. but not repetitive.

               

              here it looks like..

               

               

              AND [ 1. AND [ Filter --> Object_type In Botnet Category

               

              1st AND - i have 24 hr with Sequence

              2nd AND -  I have 5 events in 10 min Interval.

               

              If  i select only one AND operator.. i can select only threshold and time window ( 5 event in 10 min interval)  with sequence but not sure where to mention 24 hour time period.. Can you tell me if something is not right here.. Thanks..