AnsweredAssumed Answered

Creating Correlation Rule: failed auths from 1 IP using 2 users

Question asked by whateverworks on Dec 10, 2013
Latest reply on Dec 17, 2013 by RSA Admin

I want to create a correlation rule on my log decoder to find failed RSA authentications from 1 source using multiple user IDs within 5 minutes.

 

Here's what I've got for my correlation rule:

 

Condition: event.cat.name=auth.failures && device.type=rsaacesrv

Threshold: u_count(user.dst)>2

InstanceKey: ip.src

Time Window: 5 minutes

 

When I validate the rule I get "There was an unspecified error parsing the rule."

When I try to apply the rule I get "threshold field error. Expect: thresh=op-string(key-string)>value[mb|kb|gb]"

 

OK, it doesn't like that. I added user.dst to the Instance Key so that this is what my rule looked like:

Condition: event.cat.name=auth.failures && device.type=rsaacesrv

Threshold: u_count(user.dst)>2

InstanceKey: ip.src, user.dst

Time Window: 5 minutes

 

When I validate the rule I get "There was an unspecified error parsing the rule." again.

When I try to apply the rule I get a different error: "Correlation compound keys must have the same format for both elements. Key ip.src format IPv4 is not the same as key user.dst format Text."

 

I don't think I'm understanding properly what Condition, Threshold, and Instance Key are specifying in any given Correlation Rule. Can anyone help me out?

Outcomes