Highlighted
Markl Trusted Contributor.
Trusted Contributor.
651 views

Data Monitor Question

Hi all,

I'm triying to implement a correlation using rules weights (First for a group of rules).

I have a group of rules in several levels. In the level one, all rules have an associated value. My idea is when a rule from level one is triggered by the same source address, add the associated value. In every rule triggered (by source address), I need to check if the sum of associate value is greater than a maximum value.

I've checked the data monitors in ESM Console, but I can't find a data monitor which adds these values and alerts when the sum exceeds a specific value (I can see that we can get an alert if the activity is increased in a %)

Could anybody help me?

 

Thanks in advance,

 

Kind Regards,

 

Marcos

 

Be Water My Friend
Labels (1)
0 Likes
4 Replies
Respected Contributor.. george_m_c Respected Contributor..
Respected Contributor..

Re: Data Monitor Question

Macros you may use active list to keep track of the number of triggers from a source and use the active list count field value to trigger another rule for notifying when a sources exceeding the limit/max value.If your intention is to have a dashboard then may use a query viewer using up the active list.
0 Likes
chris.allen3@hp1 Super Contributor.
Super Contributor.

Re: Data Monitor Question

You can do threat scoring with 2 shared active lists and 2 variables in each of your rules.

Create a field based (Threat Score) active list with an integer and an IP address column and set the IP address as your key field.

Add these variables to each of your rules that you want to update the threat score:

get_activelist_value from the Threat Score active list.

add from Threat Score active list value column with the integer weight of your choosing.

Set the rule action to populate the IP address and add variable to the Threat Score active list.

The second active list is to be used for tracking current threats by each rule to avoid dublicate threat score adding (each rule adds the IP and rule name to an AL with multi-mapping enabled to be used as a rule filter).

0 Likes
Markl Trusted Contributor.
Trusted Contributor.

Re: Data Monitor Question

Hi Chris,
Be Water My Friend
0 Likes
Markl Trusted Contributor.
Trusted Contributor.

Re: Data Monitor Question

Hi Chris, Thanks for your message. It's a possibility, but I want to do it with a datamonitor. If is not possible with datamonitor, I try with your proposal. Kind Regards, Marcos
Be Water My Friend
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.