3 Replies Latest reply on Jun 29, 2017 9:39 AM by auguste

    Siem Alarm



      I've done an alarm for trigger the event with severity greater 80 and all works fine!

      Now I'd like to do an alarm for trigger the event with severity greater 80 and with Event Count greater than 30

      in the event field i didn't find the correct field, with the field"count" doesn't work :

      has anyone a tip?




        • 1. Re: Siem Alarm

          Go to you Correlation --> new Correlation rule --> set a new AND operator --> add a filter rule with Severity > 80 ---> open the configuration of you AND operator and add your threshold by 30


          Add a correlations rule Name and change the default Normalization. Save the rule and copy this Signature ID and past it in your new Alarm with the condition Internal Event match.

          • 2. Re: Siem Alarm

            Works! Many thanks

            • 3. Re: Siem Alarm

              Hi xded,

              Thank for your help. Just to be sure :

              if you want to group 1 signature id (for example kerberos pre authentication failed) and 1 criteria on event count (more than 20) ,

              you have to :

              1) in Correlation rule, add an ADD operator; then add the signature ID filter of our rule and Severity filter > x  ?

              2) Click on edit on the AND operator and select the threshold we want ?

              3) Name our correlation rule and ..chosse which normalization ? (undefined could be ok ?)

              4) Then save and copy the Signature ID xxx of the correlation that we've created

              5) create an alarm on the signature ID xxx with Internal Event condition ?


              Thank you in advance,