This documentation supports an earlier version of BMC Helix Operations Management. Use the Product version picker to select and view the latest version of documentation.

Example: Detect unauthorized access attempts that might indicate malicious intent


Scenario

Generally, login failures occur due to forgotten passwords. However, a high number of login failures to sensitive systems can indicate malicious intent. Suppose you want to look up the existing login failure events that occurred in the last 600 seconds. Additionally, suppose you want to:

  • Drop the incoming login failure events (associated with the LOGIN_FAILURE1 custom class).
  • Increase the attempt count of the existing event based on the number of duplicate attempts (duplicate events).
  • Update the existing event severity with the new event severity.
  • Raise the event severity to Critical if the number of attempts is greater than 2. Otherwise, raise the event severity to Warning.

To detect unauthorized access attempts, perform the following steps:

  1. Define the event selection criteria.
  2. Build the policy workflow.

Actions involved

  • Lookup
  • Function
  • Variable
  • Enrich
  • If-Then-Else

To define the event selection criteria

  1. Select Configuration > Event Policies and click Create.
  2. In the Event Selection Criteria, define a condition to select login failure events.

The following image illustrates how the event selection criteria will look.

login failure ev sel.png

To build the policy workflow

On the Advanced Enrichment page, perform the following steps to build the policy workflow:

  1. Add the Lookup action. Under the Lookup Settings, select With custom criteria and define a condition to look up existing open events that occurred in the last 600 seconds.
    Lookup settings login failure Sep_2021.png

  2. Under Update new event, add the Function action to drop incoming login failure events.
    Function settings login failure Sep 21.png

  3. Under Update old events, add a Variable action and set the value to the value of the custom slot name, attempt. The value of this variable can be further used to define an Enrich action.
    Variable settings login failure.png

  4. Under the previous action, add an Enrich action to increase the attempt count of the existing event by 1 for every duplicate attempt.
    Enrich attempts login failure Sep_2021.png

  5. Under the previous action, add an Enrich action to update the existing event severity with the new event severity.
    Enrich 2 login failure.png

  6. Under the previous action, add the If action to check if the number of attempts is greater than 2.
    If settings login failure.png

  7. Under Then, add an Enrich action to raise the severity of the existing login failure event to Critical.
    Enrich 3 sev login failure.png

  8. Under Else, add an Enrich action to raise the severity of the existing login failure event to Warning.
    Enrich 4 sev login failure.png

Results

The resulting policy workflow enriches the event severity to Critical if the number of attempts is greater than 2. Otherwise, enriches the event severity to Warning as shown in the following image:

Lookup Login failure workflow_Sep_2021.png

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*