This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Making a rule for a 100 logon failures.

I am trying to make a rule for 100 similar logon failures and trigger an email and SNMP trap. I have several rules setup and they all work well. This is one thing I cannot figure out, probably because I don't fully understand the "1 event within 5 minutes" part of the correlation. I always had it at 1 per 30 seconds and it has worked well.

Also, I have multiple customers logging to a single appliance and I hope I dont have to make one rule for each customer.

Parents
  • FormerMember
    0 FormerMember

    Hi,

    You just need to get the correlation side of things squared away in your rule and you will be fine.

    Under Correlation Time change 1 to 100 and within 30 seconds to your desired time window (e.g. 3 minutes). The response window is a bit of a mystery to me too and I have typically left this setting alone for fear of breaking the rules. If you need to get complex, you can use the advanced correlation configuration (gear icon). You will need to identify how long it takes for LEM to receive 100 simultaneous login events and ensure this also fits in with your window you want to fire a rule for this activity, else you rule may not fire, or fire false alerts.

    To send SNMP traps you need to configure the SNMP active response connector and email the SMTP active response connector. Your rule will need to be relevant, but if you want it to fire on only say 10 usernames, create a user defined group and set your event correlation to contain that group.

Reply
  • FormerMember
    0 FormerMember

    Hi,

    You just need to get the correlation side of things squared away in your rule and you will be fine.

    Under Correlation Time change 1 to 100 and within 30 seconds to your desired time window (e.g. 3 minutes). The response window is a bit of a mystery to me too and I have typically left this setting alone for fear of breaking the rules. If you need to get complex, you can use the advanced correlation configuration (gear icon). You will need to identify how long it takes for LEM to receive 100 simultaneous login events and ensure this also fits in with your window you want to fire a rule for this activity, else you rule may not fire, or fire false alerts.

    To send SNMP traps you need to configure the SNMP active response connector and email the SMTP active response connector. Your rule will need to be relevant, but if you want it to fire on only say 10 usernames, create a user defined group and set your event correlation to contain that group.

Children