RSA Admin

Trying to understand Correlation rules

Discussion created by RSA Admin Employee on Oct 30, 2008
Latest reply on Oct 31, 2008 by RSA Admin

Sorry, I'm a little slow on the uptake. I am trying to write a new correlation rule that fires when a user is locked out of a Windows Device multiple times. I want to also capture the unlock event. I have read thru all the posts and tried to follow. Below is a copy of the .xml. Does anyone have any insight. Second, when I try to set the cached variable (I want username)it only seems to set on the first statement. Next I can't seem to find "username" with multi-threading.

 

<cad timestamp="2008-10-30 02:40:54" decaytime="3600" level="4" eventcategory="1001000000" content="Multiple user account locks and unlocks" ipapattern="" ipacount="-1">
    <thread value="1" set="event_user"/>
    <cache name="username" default="username" once="true"/>
    <circuit id="User account locked" >
        <statement  id="Account locked" thc="2" thw="3600" thp="false">
            <cache  name="username" set="username"/>
            <device  comparison="IN">
                <devvalue  dgroup="Windows Server" case="false" regex="false">
                </devvalue>
            </device>
            <eventset>
                <eventid comparison="IN">
                    <evalue msgid="Security_644_Security" dtype="winevent_nic" case="false" regex="false"/>
                </eventid>
            </eventset>
        </statement>
    </circuit>
    <operator name="AND" within="3600" />
    <circuit id="User account unlocked" >
        <statement  id="Account unlocked" thc="2" thw="3600" thp="false">
            <device  comparison="IN">
                <devvalue  dgroup="Windows Server" case="false" regex="false">
                </devvalue>
            </device>
            <eventset>
                <eventid comparison="IN">
                    <evalue msgid="Security_671_Security" dtype="winevent_nic" case="false" regex="false"/>
                </eventid>
            </eventset>
        </statement>
    </circuit>
</cad>

 

Thank you, Joe

 

 

Outcomes