5 Replies Latest reply on Dec 2, 2016 10:12 AM by xded

    Filters matching Report

    zakhter

      Hi All,

      Looking to create a report where two filters can be equal / matching.  Is this possible by correlation or any other way?

       

      Regards,

        • 1. Re: Filters matching Report
          xded

          Do you mean

           

          Source Ip is: 192.168.0.2

          Hostname is: 192.168.0.2

           

          or what do you mean with two filters can be equal? Is there an example?

          • 2. Re: Filters matching Report
            zakhter

            Hi Xded,

            Sorry for not be more specific.

             

            Administrators are creating local admin equivalent user accounts and delete them after.   I need to build a report where a user logs on locally on tmftpbrs host as tmftpbrs\admin1 - alarm should go off.   I don't want to put any names in the variable group because name can be anything.  The report should based on host = domain login success.

            Thanks X for looking into it.

            • 3. Re: Filters matching Report
              xded

              Hi zakhter,

               

              you need a correlation for this.

               

              Correlate two Events in one. First Event is the Account creation and the secondary Event is the local logon on the Server/Client.

              After this you can setup a Report with a filter of the Signature ID from the correlatet Event.

               

              Sorry for the Cryptic explanation but i my enviroment we haven't any standard parser for all Windows Events. So we have other signature ID than in your enviroment.

              • 4. Re: Filters matching Report
                zakhter

                HI X,

                Created a correlation

                Local user logging onto local server where local server = server/client

                • 5. Re: Filters matching Report
                  xded

                  I'm not sure if this works.

                  Example

                  There must be two Events in your SIEM.

                  1. A User was added to a local Security Group (Signature ID = 43-xxxx48880 Carefull its a example)

                  and

                  2. A user has logged on (Signature ID = 43-xxxx46240)

                   

                   

                   

                            Filters -> Signature ID (in) 43-xxxx48880

                  And

                            Filters -> Signature ID (in) 43-xxxx46240

                   

                  This gives you another Signature ID the Signature ID from this Correlation Event and with this Event you can setup an Alarm or a Report after some days.