To follow up a little, the tricky part of this will be that it has to be two different event types to trigger the rule. Check out the other thread for the basics, but basically you'll want:
VPN Down EXISTS
VPN Up NOT EXISTS
VPN Down.Source?=VPN Up.Source? (some way to identify a unique tunnel that has gone down if you have more than one)
Response window - 5 minutes
The "Down" and "Up" exists/not exists need to be two different events. If they aren't, what I'd do would be to create a rule that infers another event type on the Down or Up event and use that as your exists or not exists (i.e. you can only "not exists" an event type, and having your exists and not exists be the same event type doesn't make sense).
Currently I have one rule for VPN Down and one rule for VPN Up, regardless of the specific tunnel. If I understand this correctly I will need a unique Down & Up event for each specific tunnel, is that correct?
You need a unique up and down event by event type, then something to tie the events together per tunnel (e.g. SourceMachine needs to match).
Basically we'll have one rule that describes the "down but not up in 5 minutes" and that rule will "remember" (or fire for) each tunnel as long as there's a field to compare.
If you have sample events you're looking at, I could be a little more prescriptive
I sent you a PM with an example log; hopefully that will help!
So, ideally you'd be able to do this:
(tunnel down) EXISTS
(tunnel up) NOT EXISTS
(tunnel down).SourceMachine = (tunnel up).SourceMachine
Response Window: 5 minutes
That would tell you if you got a tunnel down but not a tunnel up from the same source machine (the other end of your tunnel) within 5 minutes (so - your tunnel had been down for 5 minutes). If the tunnel names were in a field, you could use that, too, but it looks like they are buried in ExtraneousInfo.
Looking at the sample, I'm guessing both your "up" and "down" events are IPSecTrafficAudit and the thing that differs between them is the EventInfo that includes "tunnel-up" vs. "tunnel-down". Here's where it gets sticky - there's no way (that we've exposed in the console anyway) to do a NOT EXISTS rule with two of the same event type.
Ideally you'd be able to do:
IPSecTrafficAudit EXISTS and IPSecTrafficAudit NOT EXISTS
IPSecTrafficAudit.SourceMachine = IPSecTrafficAudit.SourceMachine
Response Window: 5 minutes
...but even looking at it, that doesn't really make sense You'd need to be able to distinguish between the two IPSecTrafficAudits which isn't possible right now.
So, enter, the inference rule (or incident) workaround.
IPSecTrafficAudit.EventInfo = "*tunnel-down*"
(if you need to restrict to only passing on info about certain tunnels, firewalls, or other criteria you could add that here)
Action: Infer Alert (or Incident Alert)
Pick an event to infer - I'd probably go with either NetworkIncident if you want to do Incident, or PointToPointTrafficAudit if you want to do infer - this way you still have similar fields to work from
Make sure to fill out the fields
Rule 2: I'll use PointToPointTrafficAudit (the alert I'm inferring from Rule 1) as my example
IPSecTrafficAudit NOT EXISTS
IPSecTrafficAudit.SourceMachine = PointToPointTrafficAudit.SourceMachine
IPSecTrafficAudit.EventInfo = "*tunnel-up*"
PointToPointTrafficAudit.EventInfo = "*tunnel-down*"
Response Window: 5 minutes
Action: probably an email notification
All of that means:
- Look for PointToPointTrafficAudit events that contain "tunnel-down" in the EventInfo
- Also, look for IPSecTrafficAudit events that contain "tunnel-up" in the EventInfo
- If you do see both of those things within 5 minutes of each other from the same SourceMachine, we're good!
- If you only see the PointToPointTrafficAudit but do NOT see the IPSecTrafficAudit from the same SourceMachine, then do something (probably an email notification)
If you're concerned about the tunnel going down-up-down within 5 minutes, you might also need to specify that their detection times need to be in sequence and the up event follows the down (e.g. IPSecTrafficAudit.DetectionTime > PointToPointTrafficAudit.DetectionTime) - response windows are sliding windows, so it will look for events that came both before AND after.
I hope that's helpful... I didn't test this in my lab, but this is what I'd build.
Ok, so I am working through this and I am confused at Rule2
1 Rule 2: I'll use PointToPointTrafficAudit (the alert I'm inferring from Rule 1) as my example
2 PointToPointTrafficAudit EXISTS
3 IPSecTrafficAudit NOT EXISTS
4 IPSecTrafficAudit.SourceMachine = PointToPointTrafficAudit.SourceMachine
5 IPSecTrafficAudit.EventInfo = "*tunnel-up*"
6 PointToPointTrafficAudit.EventInfo = "*tunnel-down*"
7 Response Window: 5 minutes
8 Action: probably an email notification.
On line 2 & 3 I assume you mean the following:
If that is the case how could like 5 be possible if we already required that it not exist? Also, since we are using a IPSecTrafficAudit to infer a PointToPointTrafficAudit then it would be definition exist would it not?
Lastly, I don't see a way to do what you are suggesting in line 4.
Thanks in advance, I really appreciate your help on this!
The criteria in the "not exists" are specifying the types of IPSecTrafficAudits that the rule "remembers" - basically you need to tell the rule how to cancel your other event out, otherwise ANY IPSecTrafficAudit will cancel your rule out which isn't what you want. It's not really linear, it's more like a "grouping" of information about that IPSecTrafficAudit that refines your rule criteria.
Line 4 is similar - this tells the rule engine that in order for the IPSecTrafficAudit to cancel out your other event, it needs to match on the SourceMachine. Otherwise, you'll find ANY tunnel coming back up will cancel out ANY tunnel going down, which means you won't be able to track a specific tunnel.
Nicole I have the same issue going on here at my location. I had my lem connector built to provide unique ID in the sourceaccount field. I have been working with Jason Dee on Case number 798758. If you could help that would be great. Jason has screen capture. A go to meeting would be great if we could. Thanks