Hi, I am trying to set up a very simple correlated alert to try and get my head around basic concepts. All I want is for an alert to be sent when 5 failed authentication attempts to enVision itself occur within 1 minute.
I have one circuit, which contains just one statement. That statement matches on the NIC System event with event ID 800015. It has a threshold set for 5 events within 60 seconds. The correlated alert rule has a decay time of 61 seconds. The view which uses this correlated rule has no multi-threading, no cache variables, and no threshold set on the view itself.
The problem is that each time a failed login occurs an alert gets generated. The threshold seems to do nothing. Even when I wait 5 minutes, fail authentication once then leave it, one alert gets created. I just don't understand the logic in enVision's alerting configuration at all. Why does it have to be so hard? Thanks, Mark.
I have just set up a correlated alert as you have described and it works fine.
When you say that an alert is created each time a failed login occurs, do you mean you can see an alert fire under "Real Time Detail"? Or that you can always see an "800015" Message ID each time you fail to login?
I mean an actual alert fires under "Real Time Detail".
I would expect to see the 800015 message in event viewer of course, but I wouldn't expect to see an alert generated until the threshold has been reached.
Did you set up your threshold on the statement itself, or on the view that references the correlated rule?
- <cad timestamp="2012-06-28 02:16:15" decaytime="61" level="5" eventcategory="1401030000" content="More than 5 failed enVision logins in 1 Minute" explanation="Generated when enVision logs more than 5 failed authentication attempts to itself inside 60 seconds. This can include attempts to log in to a locked out account and includes multiple accounts." action="Have a look at the enVision Event Viewer for events coming from the NIC System event type, specifically the Event ID 800015." ipapattern="" ipacount="-1">
- <circuit id="Failed-Auth-1">
- <statement id="enVision Failed Auth" thp="false">
- <device comparison="IN">
- <devvalue dclass="System" case="false" regex="false">
<ipadd value="192.168.22.35" />
- <eventid comparison="IN">
<evalue msgid="800015" dtype="nic" case="false" regex="false" />
- - - - - - - Thanks for your help.
I think if I turn on suppression then failed logins from the same user will be suppressed but different users won't be. I could be wrong though.
After looking through your xml I can see that there is no threshold set.
On your line of xml - "<statement id="enVision Failed Auth" thp="false">"
On my line of xml - "<statement id="s1" thc="5" thw="60" thp="false">"
I've attached a picture for your reference of where to double check your threshold.
Weird. When I checked the statement it wasn't there. Maybe I forgot to Apply it? Anyway, I added it:
statement id="enVision Failed Auth" thc="5" thw="60" thp="false">
But the behaviour was exactly the same. Every time I failed an authentication the alert gets generated.
What I'd failed to do was to restart the view that uses that alert! Silly me. Now it works like a charm. Thanks for your help.