4 Replies Latest reply on Jan 13, 2016 2:28 AM by nick.broughton

    Create an alert when a user unsuccessfully logs on 3 times within 10 minutes

    nick.broughton

      Hello everyone.

       

      Very new to the SIEM. I've basically inherited it and been told to make it do something and the above question is something that has cropped up.

       

      I would be very appreciative if someone could advise how I can complete the above please? I have tried within the alarms and under condition used Specified Event Rate - event count 3, time frame 10 minutes and within the filter I have specified the Signature ID. I can see a field for source user but don't know how to tell this field, the same user within the certain time frame (see attached). Am I barking up the wrong tree here? I've seen something similar done in correlation but in all honesty, haven't got anywhere near there yet.

       

      As mentioned above, I would be extremely grateful for any assistance.

      Many thanks,

       

      Nick

        • 1. Re: Creat an alert when a user unsuccessfully logs on 3 times within 10 minutes
          dzh01

          I'd go ahead and make this a correlation rule instead of an alarm.

          • 2. Re: Creat an alert when a user unsuccessfully logs on 3 times within 10 minutes
            nick.broughton

            Hi and thanks for the response.

             

            I've done a bit of looking into the correlation rule but still don't understand fully the process for creation. Would you be willing to give a step-by-step guide (or advise where I could find one that is suitable to my needs) please?

             

            Thanks in advance for your assistance.

            • 3. Re: Create an alert when a user unsuccessfully logs on 3 times within 10 minutes
              rgarrett

              First, I recommend understanding what you are looking for. At the Default Summary, use the filters to the right and select Normalization, then select  authentication->Login->and select host login.  You can stay at the Login level, but you will get logins for IIS, email, routers and other devices.  You may not want that

               

              correlation1.png

               

               

               

               

               

              Next, select Event Type, and put in Failure.  This will give a view of failed logins

               

              correlation2.png

               

              Now when you run that filter query, you will have an idea of how many or few data points match your query

               

               

              Next, go to the top and click on the correlation tab. This will bring up all correlation rules  I find it easier to use an existing rule rather than create one from scratch.  Note that you cannot modify an out of the box rule: you would need to copy and paste one.  Fro sake of simplicyity, all we are going to do is modify the parameters, so we wont need to copy and paste.

              Scroll down until you see Login - Multiple Failed Login Attempts

               

              when you click on the rule, it looks like this

               

              correlaton_4.png

               

              Note the rule matches is some sense the filters you applied.  We are looking for a normailization of login, and the event subtype is failure.

               

              The other fields (context in external to internal) are set when you add your local IP to the variable local network under Asset Manager

               

              If you click on parameters (above) you see  this:

               

              correlation5.png

              Change the Number of Events to 3, save and you are on your way.

               

              Once created, I would let the rule run to see how many you get.  Then, if it looks like you are not innundated with these events, you can create an alarm. Under alarms, you can select Field Match or Internal Event Match.  If an internal event match, you will alert on the signature ID of the correlation rule

               

               

              correlaton6.png

               

               

               

              corrlation7.png

               

              If you alarm on Field Match, you need to create the rule you saw above.  I recommend the product guide on alarms

               

               

               

              There is a lot more to correlation, and I recommend looking at the user guide for reference

               

              Hope this helps a little

              • 4. Re: Create an alert when a user unsuccessfully logs on 3 times within 10 minutes
                nick.broughton

                Many thanks for this! it is very much appreciated. Will certainly get me pointed in the right direction.

                 

                Thanks again!