2 Replies Latest reply on Jul 24, 2015 8:08 AM by pcktech

    multiple rule correlation

    rboppidi

      Hi friends,

       

      can anyone help me with below scenario.

       

      i have a use case in which we need to correlate  multiple failed login attempts (10 in 10)   with IPS event    grouped by destination IP     ( both events should have same destination IP). may be we can put them in sequence ...   but not sure how i can acheive this .

       

      regards

      raghu

        • 1. Re: multiple rule correlation
          jp87

          Hi,

           

          have you been able to resolve this yet?

           

          /JP

          • 2. Re: multiple rule correlation
            pcktech

            Group By: Destination IP

            Correlation Logic:

            • AND (Threshold 10, Time Window 10 minutes)
              • Match Component Filter #1: Signature ID (In) <list of failed login Signatures> (or Normalized ID (in) Authentication > Login + Event Subtype (in) Failure)
              • Match Component Filter #2: Device ID (In) <select your IPS Data Source/Sensor> (and/or use Signature ID / Normalized ID for specific IPS events)

             

            The above should only trigger if there are 10 Failed Login Events with IPS Events within a 10 Minute window, and the Group By setting will make sure those events only meet the criteria if the Failed Login and IPS events share the same Destination IP. Hopefully this works as desired and helps.