This documentation supports an earlier version of BMC Helix Operations Management.

To view the documentation for the latest version, select 23.3 from the Product version picker.

Example: Detect a security attack after failed login attempts to a server

Scenario

Sarah is an administrator at Apex Global. There have been multiple failed login attempts to a host in her organization's infrastructure network. These attempts could indicate a possible security attack on the particular host. She wants to correlate these multiple login attempt events to the same host into a single aggregated event by using a correlation policy.

To correlate matching events, perform the following steps:

  1. Define the event selection criteria.
  2. Specify the correlation settings.

To define the event selection criteria

  1. Select Configuration > Event Policies and click Create.
  2. In the Event Selection Criteria, define a condition to select events from the LOGIN_FAILURE class that contain the message "login failure".

The following image illustrates how the event selection criteria will look.

To learn how to construct the event selection criteria, see Creating and enabling event policies.

To specify the correlation settings

On the Create Event Policy page, perform the following steps to specify the correlation settings:

  1. In Policy Configuration, select Correlation.
  2. Set the matching criteria to correlate events as shown in the following image:
  3. Specify the settings for the aggregated event formed by correlating multiple login attempt events as shown in the following image:

Results

The correlation policy aggregates multiple events into a single aggregated event as shown in the following image. You can click the aggregated event to view related events.


Was this page helpful? Yes No Submitting... Thank you

Comments