There might be a way to do it with correlation workflow and watchlists, but let's start with this. Are you just looking for how many times a rule fired or are you looking for how many it fired grouped by another field (like user). If it's just times in a 24-hour period, you could configure and Alarm as such:
Hello Andy -
As I had in my other post - I am looking to track any userid that has 10 failed lockouts in a 24 hour period. This type of rule is pretty straight forward in a short time period - but does not work well over 24 hours simply because of the volume of ids it has to track.
It seems like there is room for a "scheduled query" sort of feature. I think we'll see something official that should do the job in the near future. In the meantime, this could be accomplished via the API if you're open to it.
Each time an account lockout event fires, an API call queries the event quantity for the past 24 hours for that user. If it is passed the threshold, then a notification could be created, like a log back to the ESM (which could have an alarm) or a direct email.
Does this seem like it could be an option for you?
I would like to create this rule. However, I am not really familiar with your approach. I would need more detail on how to create it in order to test it
Here is a script that will interface with the API to accomplish your goal. However, there is some setup involved.
1. Find somewhere for the script to live.
- As a result of an Alarm Action, a remote command can be executed with contextual arguments. The key here is "remote". The ESM is an appliance and doesn't support 3rd party code running on it. I found it was easy to install a small Linux VM just to handle my security tool patching, but anything that supports an SSH server and Python should work. (It could even be compiled into a Windows executable and run on a system with Python installed).
2. Also, Python requires an extra module called Requests. Usually this can be installed by typing 'pip install requests' but the site has the details.
3. Edit the parameters in the script. At the top are a number self-explanatory settings that need to be set.
4. Configure a Field Match Alarm in the ESM to match on your sig ID you want to be alerted on. Account Lockouts for AD are listed as 4740 so the Sig-ID is 43-263047400.
5. Set the Alarm to Execute remote command and add the Signature ID and Source User fields as context (in that order).
Each time an account is locked, the ESM fires the script. The script queries the API for the given event and user for the past 24 hours. If the event count is larger than 10, send an email with the events listed.
The script is pretty ugly code. It needs to be refactored and given proper comments and error checking and have some tests written for it. I have a goal to update it and post some useful examples of how to interact with the API that folks can modify for their own needs as I can find the time.
This is the exact solution to solve the problem.
Looking at this a little closer I see this warning on "Requests" site:
"Warning: Recreational use of other HTTP libraries may result in dangerous side-effects, including: security vulnerabilities, verbose code, reinventing the wheel, constantly reading documentation, depression, headaches, or even death.
Not sure I like that.
Note: use of "other" libraries. Requests might save your life!
OK. I started down this path, but then Intel responded and said that in the 9.6 version this problem will be fixed. So I am planning to upgrade my environment soon and will test their response.