Default language.

Example: Detect a security attack after failed login attempts to a server

Scenario

Sarah is an administrator at Apex Global. There have been multiple failed login attempts to a host in her organization's infrastructure network. These attempts could indicate a possible security attack on the particular host. She wants to correlate these multiple login attempt events to the same host into a single aggregated event by using a correlation policy.

To correlate matching events, perform the following steps:

  1. Define the event selection criteria.
  2. Specify the correlation settings.

To define the event selection criteria

  1. Select Configuration > Event Policies and click Create.
  2. In the Event Selection Criteria, define a condition to select events from the LOGIN_FAILURE class that contain the message "login failure".

The following image illustrates how the event selection criteria will look.

Event selection criteria correlation.png

To learn how to construct the event selection criteria, see Creating-and-enabling-event-policies.

To specify the correlation settings

On the Create Event Policy page, perform the following steps to specify the correlation settings:

  1. In Policy Configuration, select Correlation.
  2. Set the matching criteria to correlate events as shown in the following image:
    Correlation matching criteria for events.png
  3. Specify the settings for the aggregated event formed by correlating multiple login attempt events as shown in the following image:
    Correlation settings for the aggregated event.png

Results

The correlation policy aggregates multiple events into a single aggregated event as shown in the following image. You can click the aggregated event to view related events.

Detect a security attack after failed login attempts to a server result 1.png

Detect a security attack after failed login attempts to a server result 2.png


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*