Example of custom correlation rules

This example shows how a correlation rule generates an alert when McAfee ESM detects 5 unsuccessful logon attempts from a single source on a Windows system, followed by a successful logon, all in 10 minutes.

  1. In the Rule Types pane of the Policy Editor, click Correlation.
  2. Click New, then select Correlation Rule.
  3. Type a descriptive name, then select the severity setting.

    Note: Because an event generated by this rule could indicate that an unauthorized person has accessed the system, an appropriate severity setting is 80.

  4. Select the normalization ID, which could be Authentication or AuthenticationLogin, then drag and drop the AND logic element.
    Note: Select AND because there are two types of actions that need to occur (logon tries first, then a successful logon).
  5. Click the Menu icon , then select Edit.
  6. Select Sequence to indicate that the actions (first, five unsuccessful logon attempts, and second, a successful logon) must occur sequentially, then set the number of times this sequence must occur, which is "1."
  7. Set the period the actions need to occur in, then click OK.
    Note: Since there are two actions that require time windows, the 10-minute period must be divided between the two. For this example, five minutes is the period for each action. Once the unsuccessful attempts have occurred in five minutes, the system begins to listen for a successful logon from the same IP source in the next five minutes.
  8. In the Group by field, click the icon, move the Source IP option from the left to the right, indicating that all actions must come from the same source IP, then click OK.
  9. Define the logic for this rule or component.
To do this... Do this...
Specify the type of filter that identifies the events of interest (in this case, multiple failed logon attempts against a Windows system).
  1. Drag and drop the Filter icon and drop it on the AND logic element.
  2. On the Filter Fields Component page, click Add.
  3. Select Normalization RuleIn, then select:
    • Normalization
    • Authentication
    • Login
    • Host Login
    • Multiple failed login attempts against a Windows host
  4. Click OK .
Set the number of times the logon failure needs to occur and the period in which they must occur.
  1. Drag and drop the AND logic element to the Filter bar.
    Note: The AND element is used because there are 5 separate attempts that must occur. The element allows you to set the number of times and the length of time that they must occur.
  2. Click the Menu icon for the AND element you just added, then click Edit.
  3. In the Threshold field, enter 5 and remove other values that are present.
  4. Set the Time Window field to 5.
  5. Click OK.
Define the second filter type that needs to occur, which is the successful logon.
  1. Drag and drop the Filter icon to the bottom prong of the first AND logic element's bracket.
  2. On the Match Component page, click Add.
  3. In the fields, select Normalization RuleIn, then select:
    • Normalization
    • Authentication
    • Login
    • Host Login
  4. Click OK to return to the Match Component page.
  5. To define "successful," click Add, select Event SubtypeIn, then click the Variables icon and click Event SubtypesuccessAdd.
  6. Click OK to return to the Policy Editor.