This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2010-01-25 11:24 AM

CRL to show multiple logins from 1 username to multiple machines

Im trying to create a rule to show multiple logins from one username. Id imagine multi threading is the best way to do it but I don't seem to have the option of a username in the definition list. I think I'm creating the rule correctly, could someone maybe give me an example? How do I populate the definition options with more than the standard entries?
0 Likes
Reply
10 Replies
RSAAdmin
Beginner
Beginner
‎2010-01-26 08:49 AM

It is the best way but the feilds only show up if they are common to all events selected in the statement(s).

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-01-26 06:01 PM

That's correct. 

 

My recommendation is that you add another item to your event selection.  Under the 'Event Type' column for this additional line, select 'Variable' and in the 'Value' column, select the variable you are using for multi-threading. 

 

Effectively you are selecting the events by whether they have a specific variable in use and whatever other criteria you have selected.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-01-27 08:17 AM

Hi I think ive followed your suggestions correctly. Can you please take a look at the HTML screen shot or the xml attachment and let me know if you think this is correct.

 

My appologies i can only add one attachment. If you would like the XML please let me know.

Message Edited by Darryl on01-27-201001:18 PM
Preview file
36 KB
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-01-27 08:54 AM

As a rule of thumb, if you go back to the initial screen you see when editing the rule, the rule's multi-threading settings will be checked everytime  you visit that page.  If the rule is not valid, the text within the multi-threading area will be red (instead of black).

 

Looking at your HTML output I can't quite tell because in the page the multi-threading setting is using the variable's "label" and within the event selection it appears to use the actual variable.  If you could post the XML, it would be a lot easier to validate.  However if you follow the above steps to check the multi-threading validity and you don't see an error then you can safely assume the rule is correct. 

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-01-27 09:40 AM

Thanks for the advice ill take a look acording to the steps you suggested but ive attached the XML just to make sure. Thanks again
Preview file
2 KB
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-01-27 10:46 AM

I took a look at the XML and your rule looks correct.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-01-27 10:48 AM

Thanks, ive tried to test it but it doesnt seem to fire.
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-01-27 02:29 PM

Sorry, I misunderstood the original request (I thought you only wanted validation of the multi-threading).  I took a further look at the rule that you posted and there some additional things you probably want to add in here.

 

The first is you aren't truly considering that a user has logged into multiple machines.  You probably want to associate a cache variable with the server IP address in the "FirstLogin" circuit so that you can compare it to the server IP address in the "SecondLogin" circuit.

 

The other issue is your decay time.  Since you require that all events must fire within 1 minute, it's possible that you might not actually collect the events within that time period for that event to fire.  I would suggest that you expand that out to 5 or 10 minutes so at least you can validate the rule functionality.   Assuming you are using the agentless windows event retrieval, you could configure the collection service to poll more frequently but that potentially has implications for your performance.

 

Cheers

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2010-01-28 04:50 AM

Thanks once again Daniel appreciate your help. Ive added a variable (one of our Domain Controllers) set a default value of its IP address, and set the decay time to 10min. Does this look better (xml attached)

 

Sorry had to remove the XML and alter it to remove the name and ip used.

Message Edited by Darryl on01-28-201009:55 AM
Preview file
2 KB
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.