3 Replies Latest reply on Nov 5, 2015 10:09 AM by nicole pauls

    HostIncident event

    dcross.dfc

        This might be a silly question with a more than obvious answer. I have been reading through the user guide and I have enabled several rules (such as Track Failed Login Attempts to Administrative Accounts) which per the documentation:

       

      “The default action for  this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the
      critical events on your network.”

       

      My incident reports are returning “0” results, even though nDepth shows that the rule did fire. What am I missing here? How can I run a report which shows the activity these rules are flagging? Or is the expectation that I should be using some “Action” such as send an email or a popup message?

          

      Thank you for your time.

        • Re: HostIncident event
          cjfranca

          Sorry I not understand.

          Can you show image. ?

            • Re: HostIncident event
              dcross.dfc

              Hello,

               

              I am unable to post a screen shot of the LEM. Below is an excerpt from the user guide.  I am looking to understand “What can I do with these HostIncident events
              now that they are being generated? How would I use them in conjunction with the Incidents report?

               

              Creating a LEM Rule to Track Failed Login Attempts to Administrative Accounts

              Clone and enable the Critical Account Logon Failures rule to track failed login attempts to the default Administrator account in Windows. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the critical events on your network.

              For more information about scheduling and leveraging the Incidents report, see "Leveraging the Incidents Report in Security Audits"
              on page 80.

               

              Thank you for your time.

            • Re: HostIncident event
              nicole pauls

              Do you see HostIncident events if you search for those specifically in nDepth? Or in an Incidents (or maybe Security Events) filter?

               

              If you have a place where you see the rule firing in your console, you can click on the event and go to Explore > Event to open up the Event Explorer. The explorer will show you what events caused the rule to fire, and what actions the rule took when it fired. (Make sure the "InternalRuleFired" event is in the center of the graph, or double click on it to re-center it to the middle of the graph). That should show you a HostIncident event on the right side (to indicate that the rule fired and triggered a HostIncident).

               

              If you see the HostIncident events in nDepth/the console, the problem might be in the report. If you don't see them in the Console, the problem might be with the rule.