2 Replies Latest reply on Oct 26, 2016 5:13 PM by michal_be

    Brute force Correlation Rule

    michal_be

      Hi guys,

       

      I need somebody help with following Use case

       

      Write a CRL which will capture:

      7 failure logon attempts from that same Source IP, Source User in 10, 30, 60 minutes

      Followed by Successful from that same Source IP, Source User in 60 minutes after previous 7 failures.

       

      CRL are inside attachment and below is screenshot from Policy editor

       

       

      There are some question:

       

      1. Is there any sense to set separate CRL depends on Time when those 7 failed logon attempts will happen or one is enough with 60 minutes gate inside?

          Will it work that what had happen first will close this gate (Threshold or Time) and then jump to another gate?

      2. Is there any sense to set sequence inside first gate (7 failures) ? From tests, amount of triggers for those with sequence in gate one is equal to those without sequence enabled

       

       

       

      I've would like to ask also for explanation how does the Threshold and Time Windows inside AND gates work.

      Those the sequence have to be used only when there is more then one match component inside gate?

       

      Thank you in advance

       

      Mike

        • 1. Re: Brute force Correlation Rule
          abanaru

          1. Is there any sense to set separate CRL depends on Time when those 7 failed logon attempts will happen or one is enough with 60 minutes gate inside?

          One is enough.

              Will it work that what had happen first will close this gate (Threshold or Time) and then jump to another gate?

          If you keep the 3 correlation rules they will all fire if 7 failed logon attempts occur.

          2. Is there any sense to set sequence inside first gate (7 failures) ? From tests, amount of triggers for those with sequence in gate one is equal to those without sequence enabled

          No, but you need sequence for the 2nd correlation rule.

           

           

          I've would like to ask also for explanation how does the Threshold and Time Windows inside AND gates work.

          Threshold is the number of events and Time Window is just what it's name is :-)

          Those the sequence have to be used only when there is more then one match component inside gate?

          If you have a single component there's no justification to use sequence.

           

          Also, you might be interested in creating the first correlation as a component and the second as a rule if you're not interested in firing on 7 failed attempts as well.

          1 of 1 people found this helpful
          • 2. Re: Brute force Correlation Rule
            michal_be

            Hi  abanaru

            Many thanks for your support that help me a lot. Currently I am testing some CRL and getting different results. I will try to troubleshoot and fix it.

            If I will get stuck I will definitely back hear