Do any correlation rules work on your SIEM ?
Also, don't forget to use a "Group By: Source User" inside your correlation rule.
Yes correlation rules do fire.
Some of the verbiage I've read is that inside the ACE component (we do not have this) default is "disable" and after rolling out it needs to be enabled for it to work.
I've created a view just to see if the watchlist data populates and I see the data I'm looking for....
Thanks for the tip on Group By. Very frustrated this is not working yet.
I assume Group By as in the line directly above the Correlation Logic?
Yes, that's the one.
It's one of the most important factors in making correlation rules.
Yep I actually got it working for the better part of last night.
So clearly right now I have no timeframe involved with this Correlation rule. I did it in the broadest sense I could think of. I rolled it out to everything and applied the alarm to every device.
What troubles me is a couple things. Why is it when I roll it out to say just the windows servers and workstations it doesnt work when that's all these admins on the watchlist are logging into to generate the alert in the first place. Second and for the exact same reason do I have to apply every device in the conditions part of the alarm for it to fire? I should be able to specify specific devices etc.
Why is it when I roll it out to say just the windows servers and workstations it doesnt work when that's all these admins on the watchlist are logging into to generate the alert in the first place.
What's the error?
Second and for the exact same reason do I have to apply every device in the conditions part of the alarm for it to fire? I should be able to specify specific devices etc.
It will do all devices by default, you can explicitly include device so the rule fire on events that occurred on that particular device only.
There is a variable called working hours, but it's in GMT, so make sure you convert it into your time zone for working hours. Can add this into the top logical group.
Yes I know that's the case regarding both the variable and GMT.
The rule itself is for non-working hour logins (whether a success or failure) so inside the component I've been adding in "Time of Day" and then 1000 to 0500 hours.
I'm more concerned with the issues I'm seeing in the rollout and the alarm in terms of having to deploy it to everything for it to work correctly.
Yeah, you have to save everything you make a change and roll out the policy to the ACE. That's mandatory.
The client I'm working with doesn't have the ACE (device/appliance...component?). Would that affect anything and/or limit ones ability to implement correlation rules?