This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
  • RSA.com
  • Products
    • Archer®
      • Archer®
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Archer® Exchange
      • Training
      • Upcoming Events
      • Videos
    • RSA® Fraud & Risk Intelligence Suite
      • RSA® Fraud & Risk Intelligence Suite
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Web Threat Detection
      • Upcoming Events
      • Videos
    • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Cloud
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Upcoming Patch Content
      • Videos
    • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication Mobile SDK
      • Advisories
      • Events
      • Ideas
      • Knowledge Base
      • Request Access
      • Training
    • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® Adaptive Authentication for eCommerce
      • RSA® Adaptive Authentication for eCommerce
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® FraudAction Services
      • RSA® FraudAction Services
      • Advisories
      • Discussions
      • Documentation
      • Ideas
      • Videos
    • RSA® Web Threat Detection
      • RSA® Web Threat Detection
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Videos
    • RSA NetWitness® Platform
      • RSA NetWitness® Platform
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Integrations
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • RSA NetWitness® Detect AI
      • RSA NetWitness® Detect AI
      • Documentation
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA NetWitness® Investigator
      • RSA NetWitness® Investigator
      • Documentation
      • Download the Client
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA NetWitness® Orchestrator
      • RSA NetWitness® Orchestrator
      • Overview
      • Documentation
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA SecurID® Suite
      • RSA SecurID® Suite
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Knowledge Base
      • Ideas
      • Integrations
      • Training
      • Videos
    • RSA® Identity Governance & Lifecycle
      • RSA® Identity Governance & Lifecycle
      • Advisories
      • Blog
      • Community Exchange
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • RSA SecurID® Access
      • RSA SecurID® Access
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Integrations
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • Other RSA® Products
      • Other RSA® Products
      • RSA® Access Manager
      • RSA® Data Loss Prevention
      • RSA® Digital Certificate Solutions
      • RSA enVision®
      • RSA® Federated Identity Manager
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
  • Resources
    • Advisories
      • Product Advisories on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Hosted
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Product Advisories
    • Blogs
      • Blogs on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Blogs on RSA Link
    • Discussion Forums
      • Discussion Forums
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Discussion Forums on RSA Link
    • Documentation
      • Product Documentation
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Documentation on RSA Link
    • Downloads
      • Product Downloads
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Downloads on RSA Link
    • Ideas
      • Idea Exchange
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Documentation on RSA Link
    • Knowledge Base
      • Knowledge Base
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Knowledge Base Pages on RSA Link
    • Upcoming Events on RSA Link
      • Upcoming Events
    • Videos
      • Videos on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise
      • RSA® Adaptive Authentication On-Premise (Cassandra)
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Videos on RSA Link
  • Support
    • RSA Link Support
      • RSA Link Support
      • News & Announcements
      • Getting Started
      • Support Forum
      • Support Knowledge Base
      • Ideas & Suggestions
    • RSA Product Support
      • RSA Product Support
      • General Security Advisories and Statements
      • Product Life Cycle
      • Support Information
      •  
      •  
      •  
      •  
      •  
  • RSA Ready
  • RSA University
    • Certification Program
      • Certification Program
    • Course Catalogs
      • Course Catalogs
      • Archer®
      • RSA NetWitness® Platform
      • RSA SecurID® Suite
    • On-Demand Subscriptions
      • On-Demand Subscriptions
      • Archer®
      • RSA NetWitness® Platform
      • RSA SecurID® Suite
    • Product Training
      • Product Training
      • Archer®
      • RSA® Fraud & Risk Intelligence Suite
      • RSA® Identity Governance & Lifecycle
      • RSA NeWitness® Platform
      • RSA SecurID® Access
    • Student Resources
      • Student Resources
      • Access On-Demand Learning
      • Access Virtual Labs
      • Contact RSA University
      • Enrollments & Transcripts
      • Frequently Asked Questions
      • Getting Started
      • Learning Modalities
      • Payments & Cancellations
      • Private Training
      • Training Center Locations
      • Training Credits
      • YouTube Channel
    • Upcoming Events
      • Upcoming Events
      • Full Calendar
      • Conferences
      • Live Classroom Training
      • Live Virtual Classroom Training
      • Webinars
Sign In Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

Visit the Known Issues dashboard if you are experiencing issues on RSA Link

View Dashboard

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
  • RSA Link
  • :
  • Products
  • :
  • Other RSA Products
  • :
  • RSA enVision
  • :
  • Discussions
  • :
  • Correlation Rule with exceptions
  • Options
    • Subscribe to RSS Feed
    • Mark Topic as New
    • Mark Topic as Read
    • Float this Topic for Current User
    • Bookmark
    • Subscribe
    • Mute
    • Printer Friendly Page
RSAAdmin
RSAAdmin Beginner
Beginner
‎2009-11-24 04:06 PM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Correlation Rule with exceptions

Hi,
I have setup up a correlated rule that I now want to modify to include exceptions but am having trouble getting it to work, hope someone may help point me in the right direction.
We are monitoring and alerting on interactive logins (Windows event ID 528 - type 2 ands type 10 login events) by 'service' accounts.  I have achieved this by setting up a correlated rule with 1 circuit, 1 statement and filters applied to the statement :
Rule: LOGIN SERVICE ACCOUNT
Circuit: GET EVENTS
Statement: WINDOWS SUCCESSFUL LOGIN EVENTS
    - Threshold: Consider every event
    - Device Class/Type: Hosts.Windows Hosts
    - Event Type: Event ID for Windows Events (NIC) in Value: Security_528_Security, Security_528_Security:02
Filter: Where User Name In Watchlist SERVICE ACCOUNTS and Logon Type In Watchlist Windows Logon Type
   
The above rule work fine.  What I now need to achieve is to configure this rule to handle the exceptions, i.e. there are some instances where a particlar service account is allowed to interactively login to a particular server (but not other servers).  So for example :
If service account aaa interactively logs in to server 111 - alert
If service account bbb interactively logs in to server 111 - alert
If service account aaa interactively logs in to server 222 - don't alert
If service account bbb interactively logs in to server 222 - alert
How would I achieve these (and more similar) exceptions ?
  • Tags:
  • Community Thread
  • Discussion
  • enVision
  • Forum Thread
  • RSA enVision
0 Likes
Share
Reply
  • All forum topics
  • Previous Topic
  • Next Topic
13 Replies
RSAAdmin
RSAAdmin Beginner
Beginner
‎2009-11-25 09:42 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

I think you might need to create multiple statements and possibly circuits to cover the conditions.  Please correct me if I misunderstood the goals here.

 

- Alert if any service account interactively logs into any server in group A

- Alert if only specific service accounts interactive logs into any serverin group B

 

 If you split these into two statements joined with an OR you should be able to achieve the desired results.  Each statement will have a filter reflect one of the specific points listed above. 

 

How many exceptions were you planning on creating with the rule?

0 Likes
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
In response to RSAAdmin
‎2009-11-25 01:56 PM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Hi Daniel,

 

The example I gave were a general idea of what we need to achieve.  There is likely to be many more different servers that for some reason different service accounts need to interactively login to them. 

 

We have over 1000 servers and over 1200 service accounts, as the monitoring of the use of these service accounts continues we will find quite a few more exceptions that may need to be handled.  So, potentially we could have 10's of exceptions.  

 

I need to find the best way to implement these in the rules, I was hoping it could be achieved by adding to the existing filter set ?  But not having used correlated rules very much I 'm still learning.

 

Any ideas appreciated.

 

Thanks

0 Likes
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
In response to RSAAdmin
‎2009-11-25 02:56 PM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

My other suggestion would be to try and leverage the operators (AND, OR, etc) within the filter, statements and

circuits to create a more complex rule.  Here is a simple example of how envision processes the operator:

 

Let's start with a rule that has 1 circuit and 3 statements in the following order

Statement_1

OR Statement_2

AND Statement_3

 

In this scenario, if statement_1 and statement_3 were true, the alert would fire.  Similiarly, if Statement_2 and Statement_3 became true, the alert would fire.  So I'll rewrite the rule so you can better visualize the logic behind this.

 

( Statement_1 OR Statement_2 ) AND Statement_3

 

So when you add a 4th statement to this rule

 

Statement_1

OR Statement_2

AND Statement_3

AND NOT Statement_4

The rule's logic can be expressed as  (( Statement_1 OR Statement_2 ) AND Statement_3 ) AND NOT Statement_4

 

Unfortunately without understanding in detail all the conditions for the rule it's hard to determine what's the best way for you to proceed.  However I suspect you will have to break down the rule into multiple parts to make this work properly. 

 

Sometimes I will create a truth table to list all the input conditions to the rule and the outcomes I expect and then create the rule from that.

 

I hope this helps.

0 Likes
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
In response to RSAAdmin
‎2009-11-25 03:19 PM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Thanks for the tips, I'll give it a go and see if I have any luck.
0 Likes
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
In response to RSAAdmin
‎2009-11-27 03:00 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Hi Daniel,

 

From your suggestions, this is what I have come up with so far :

 

 

<cad timestamp="2009-11-27 08:37:31" decaytime="60" level="4" eventcategory="1401060000" content="LOGIN SERVICE ACCOUNT" explanation="Monitor for login activity by a service account." ipapattern="" ipacount="-1">
 <circuit id="Circuit:Get Events" >
  <statement  id="Windows Successful Login Events" thp="false">
   <device  comparison="IN">
    <devvalue  dclass="Windows Hosts" case="false" regex="false">
     <ipadd value="ALL"/>
    </devvalue>
   </device>
   <eventset>
    <eventid comparison="IN">
     <evalue msgid="Security_528_Security" dtype="winevent_nic" case="false" regex="false"/>
     <evalue msgid="Security_528_Security:02" dtype="winevent_nic" case="false" regex="false"/>
    </eventid>
   </eventset>
   <filterset>
    <filter comparison="IN">
     <filtervalue variable="username" value="SERVICE ACCOUNTS" comparison="WATCHLIST" case="IGNORE"/>
    </filter>
    <operator name="AND" />
    <filter comparison="IN">
     <filtervalue variable="logon_type" value="Windows Logon Type" comparison="WATCHLIST" case="IGNORE"/>
    </filter>
   </filterset>
  </statement>
  <operator name="AND_NOT" within="-1" />
  <statement  id="Exclusions - Windows Successful Login Events" thp="false">
   <device  comparison="IN">
    <devvalue  dclass="Windows Hosts" case="false" regex="false">
     <ipadd value="ALL"/>
    </devvalue>
   </device>
   <eventset>
    <eventid comparison="IN">
     <evalue msgid="Security_528_Security" dtype="winevent_nic" case="false" regex="false"/>
     <evalue msgid="Security_528_Security:02" dtype="winevent_nic" case="false" regex="false"/>
    </eventid>
   </eventset>
   <filterset>
    <filter comparison="IN">
     <filtervalue variable="workstation" value="SERVERxyz" comparison="IN" case="IGNORE"/>
    </filter>
    <operator name="AND" />
    <filter comparison="IN">
     <filtervalue variable="username" value="SERVICEACCOUNTabc" comparison="IN" case="IGNORE"/>
    </filter>
   </filterset>
  </statement>
 </circuit>
</cad>

 

 

So, in the first statement I look for a login event, then have a second statement to perform the exception on the server and service account we want excluded from the alerting.

 

 

I haven't had a chance to fully test, but so far seems it achieve what I want, however I need to incorporate additional exceptions for other servers and service accounts.

 

Do you see anything obviously wrong with the above ?

 

Thanks,

 

Mike

 

 

0 Likes
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
In response to RSAAdmin
‎2009-12-01 10:44 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

I believe that should be fine.  Basically you'll just keep adding additional statements joined with "AND NOT" to reflect each additional exception to the rule.  That should hopefully keep the rule manageable if you have a large number of exceptions.

 

 

0 Likes
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
‎2011-02-11 04:13 PM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

I am trying to perform this exact same correlation rule by using your example.  I am trying to understan why you have the second watchlist "Logon Type".  Would you explain this to me?

 

This is the rule that I need, which I believe is the same:

 

I want to monitor all successful logon events for all windows hosts, where specific service accounts are used.  I also want to create a filter, excluding a list of hosts where these service accounts should be used.

 

Thanks,

Greg

0 Likes
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
‎2011-02-21 10:32 PM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Gents,

May I suggest that you just look for any interactive logins from a service account to any server. Look for the 528 and 4624 (win2k8) and the following conditions:

Login Type 2 (interactive login) and 10 (remote access)

Now there are some service accounts that use login type 2 & 10, but those are local logins and can be filtered out the "source user" ending in $.

This is how I have done it....I will attach the XML tomorrow that works with Content 2.0

Paul
0 Likes
Share
Reply
RSAAdmin
RSAAdmin Beginner
Beginner
In response to RSAAdmin
‎2011-02-22 10:02 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Here is my rule for checking sevice accounts....I am simply looking for interactive, direct logins using the accounts in my watchlist.  By looking for both Login Process of User32 and Logon Type of 2 and 10...I can alert of anyone using the service account outside of its normal process.  I can look at them across all servers and I think that is what you want to do.  Usually a service account will have higher privileges than a normal user account and many times can be domain/local administrators...so I tend to want to see any interactive/direct logins.

 

 

Preview file
2 KB
0 Likes
Share
Reply
  • « Previous
    • 1
    • 2
  • Next »
  • « Previous
    • 1
    • 2
  • Next »
Powered by Khoros
  • Products
  • Resources
  • Solutions
  • RSA University
  • Support
  • RSA Labs
  • RSA Ready
  • About RSA Link
  • Terms & Conditions
  • Privacy Statement
  • Provide Feedback
© 2020 RSA Security LLC or its affiliates.
All rights reserved.