This documentation supports an earlier version of BMC Helix Operations Management.

To view the documentation for the latest version, select 23.3 from the Product version picker.

Example: Detect unauthorized access attempts that might indicate malicious intent


Scenario

Generally, login failures occur due to forgotten passwords. However, a high number of login failures to sensitive systems can indicate malicious intent. Suppose you want to look up the existing login failure events that occurred in the last 600 seconds. Additionally, suppose you want to:

  • Drop the incoming login failure events (associated with the LOGIN_FAILURE1 custom class).
  • Increase the attempt count of the existing event based on the number of duplicate attempts (duplicate events).
  • Update the existing event severity with the new event severity.
  • Raise the event severity to Critical if the number of attempts is greater than 2. Otherwise, raise the event severity to Warning.

To detect unauthorized access attempts, perform the following steps:

  1. Define the event selection criteria.
  2. Build the policy workflow.

Actions involved

  • Lookup
  • Function
  • Variable
  • Enrich
  • If-Then-Else

To define the event selection criteria

  1. Select Configuration > Event Policies and click Create.
  2. In the Event Selection Criteria, define a condition to select login failure events.

The following image illustrates how the event selection criteria will look.

To build the policy workflow

On the Advanced Enrichment page, perform the following steps to build the policy workflow:

  1. Add the Lookup action. Under the Lookup Settings, select With custom criteria and define a condition to look up existing open events that occurred in the last 600 seconds.


  2. Under Update new event, add the Function action to drop incoming login failure events.


  3. Under Update old events, add a Variable action and set the value to the value of the custom slot name, attempt. The value of this variable can be further used to define an Enrich action.


  4. Under the previous action, add an Enrich action to increase the attempt count of the existing event by 1 for every duplicate attempt.


  5. Under the previous action, add an Enrich action to update the existing event severity with the new event severity.


  6. Under the previous action, add the If action to check if the number of attempts is greater than 2.


  7. Under Then, add an Enrich action to raise the severity of the existing login failure event to Critical.


  8. Under Else, add an Enrich action to raise the severity of the existing login failure event to Warning.

Results

The resulting policy workflow enriches the event severity to Critical if the number of attempts is greater than 2. Otherwise, enriches the event severity to Warning as shown in the following image:

Was this page helpful? Yes No Submitting... Thank you

Comments