RSA Admin

Correlation Rule with exceptions

Discussion created by RSA Admin Employee on Nov 24, 2009
Latest reply on Dec 1, 2009 by RSA Admin
Hi,
I have setup up a correlated rule that I now want to modify to include exceptions but am having trouble getting it to work, hope someone may help point me in the right direction.
We are monitoring and alerting on interactive logins (Windows event ID 528 - type 2 ands type 10 login events) by 'service' accounts.  I have achieved this by setting up a correlated rule with 1 circuit, 1 statement and filters applied to the statement :
Rule: LOGIN SERVICE ACCOUNT
Circuit: GET EVENTS
Statement: WINDOWS SUCCESSFUL LOGIN EVENTS
    - Threshold: Consider every event
    - Device Class/Type: Hosts.Windows Hosts
    - Event Type: Event ID for Windows Events (NIC) in Value: Security_528_Security, Security_528_Security:02
Filter: Where User Name In Watchlist SERVICE ACCOUNTS and Logon Type In Watchlist Windows Logon Type
   
The above rule work fine.  What I now need to achieve is to configure this rule to handle the exceptions, i.e. there are some instances where a particlar service account is allowed to interactively login to a particular server (but not other servers).  So for example :
If service account aaa interactively logs in to server 111 - alert
If service account bbb interactively logs in to server 111 - alert
If service account aaa interactively logs in to server 222 - don't alert
If service account bbb interactively logs in to server 222 - alert
How would I achieve these (and more similar) exceptions ?

Outcomes