This documentation supports the releases of BMC Helix Operations Management up to December 31, 2021.To view the documentation for the latest version, select 23.1 from the Product version picker.

Example: Detect unauthorized access attempts that might indicate malicious intent

Generally login failures occur due to forgotten passwords. However, a high number of login failures to sensitive systems can indicate malicious intent. Suppose you want to look up the existing login failure events that occurred in the last 600 seconds. Additionally, suppose you want to:

  • Drop the incoming login failure events (associated to the LOGIN_FAILURE1 custom class).
  • Increase the attempt count of the existing event based on the number of duplicate attempts (duplicate events).
  • Update the existing event severity with the new event severity.
  • Raise the event severity to Critical if the number of attempts is greater than 2. Otherwise, raise the event severity to Warning.

Actions involved: Lookup, Function, Variable, Enrich, If-Then-Else

Event selection criteria: Define a condition to select login failure events.

The following image illustrates how the event selection criteria will look.

login failure ev sel.png

Build the policy workflow:

  1. Add the Lookup action. Under the Lookup Settings, select With custom criteria and define a condition to look up existing open events that occurred in the last 600 seconds.
    Lookup settings login failure Sep_2021.png

  2. Under Update new event, add the Function action to drop incoming login failure events.
    Function settings login failure Sep 21.png

  3. Under Update old events, add a Variable action and set the value to the value of the custom slot name, attempt. The value of this variable can be further used to define an Enrich action.
    Variable settings login failure.png

  4. Under the previous action, add an Enrich action to increase the attempt count of the existing event by 1 for every duplicate attempt.
    Enrich attempts login failure Sep_2021.png

  5. Under the previous action, add an Enrich action to update the existing event severity with the new event severity.
    Enrich 2 login failure.png

  6. Under the previous action, add the If action to check if the number of attempts is greater than 2.
    If settings login failure.png

  7. Under Then, add an Enrich action to raise the severity of the existing login failure event to Critical.
    Enrich 3 sev login failure.png

  8. Under Else, add an Enrich action to raise the severity of the existing login failure event to Warning.
    Enrich 4 sev login failure.png

Final workflow: The following image illustrates how the policy workflow will look.

Lookup Login failure workflow_Sep_2021.png

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*