Example: Detect a security attack after failed login attempts to a server

Scenario

Sarah is an administrator at Apex Global. There have been multiple failed login attempts to a host in her organization's infrastructure network. These attempts could indicate a possible security attack on the particular host. She wants to correlate these multiple login attempt events to the same host into a single aggregated event by using a correlation policy.

To correlate matching events, perform the following steps:

To define the event selection criteria

Select Configuration > Event Policies and click Create.
In the Event Selection Criteria, define a condition to select events from the LOGIN_FAILURE class that contain the message "login failure".

The following image illustrates how the event selection criteria will look.

Event selection criteria correlation.png

To learn how to construct the event selection criteria, see Creating and enabling event policies.

To specify the correlation settings

On the Create Event Policy page, perform the following steps to specify the correlation settings:

In Policy Configuration, select Correlation.
Set the matching criteria to correlate events as shown in the following image:
Specify the settings for the aggregated event formed by correlating multiple login attempt events as shown in the following image:

Results

The correlation policy aggregates multiple events into a single aggregated event as shown in the following image. You can click the aggregated event to view related events.

Detect a security attack after failed login attempts to a server result 1.png

Detect a security attack after failed login attempts to a server result 2.png

Example: Detect a security attack after failed login attempts to a server

To define the event selection criteria

To specify the correlation settings

Results

BMC Helix Operations Management 25.4

On this page