2 Replies Latest reply on Jun 14, 2015 7:51 PM by hok

    ESM - Creating an alarm based on multiple events using two fields

    adidone

      Hi.

       

      I'm currently receiving 'virus detected' information from an endpoint protection server. I am trying to create an alarm that triggers when a virus has been detected on the same IP address 3 times in 10 minutes.

       

      Basically I need to match on the same Source_IP as well as signature_ID, across 3 events in the space of 10 minutes.

       

      I currently have an alarm in place that triggers when the same signarure_ID shows 3 times in the space of 10 minutes, but this doesn't meet the criteria of same IP.

       

      I am trying to get my head around the logic.

       

      Is there a way, possibly using watchlists, to use the Source_IP as a variable to match against in separate events, and create an alarm based on signature_ID and the results of the watchlist?

       

      Thanks,
      Andrew.

        • 1. Re: ESM - Creating an alarm based on multiple events using two fields
          aa_milo

          So I may have a solution for you, even if it isnt the most elegant solution. I have the following setup for a 3 virus' within 2 weeks alert:

           

          2 watchlists - both purge accounts after 14 days.

          3 alarms total.


          First virus alert hits, inserts into first watchlist. Then a second alarm checks to see if a user is in the first watchlist and if it is adds the computer name (or IP in your case) to the second watchlist. A third alarm checks the second watchlist and first watchlist. If a user is in both watchlists and triggered a virus this alerts, creating a 3 in 2 weeks alert.

          • 2. Re: ESM - Creating an alarm based on multiple events using two fields
            hok

            Why don't you use Correlation Rule?

             

            I'm currently receiving 'virus detected' information from an endpoint protection server. I am trying to create an alarm that triggers when a virus has been detected on the same IP address 3 times in 10 minutes.


            You can define this by Correlation Rule.

            Then, you should define "Field Match" alarm referring to the Signature ID of this Correlation Rule.