Highlighted
Absent Member.
Absent Member.
412 views

How to trigger notification based on concurrent logins from different source zones

Jump to solution

I am populating a session list with login information (Session ID, Username, Source Zone, Destination IP Address). What I'm having a problem with is finding a way to trigger a notification whenever a single user concurrently logs in to two or more devices from more than one source zone. I can create a query that will derive this information, but that doesn't seem to help in terms of triggering the notification.

Any ideas on how to get this to work? I don't want to generate a periodic report, I want real-time notifications of these active events.

Thanks.

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Absent Member.
Absent Member.

Re: How to trigger notification based on concurrent logins from different source zones

Jump to solution

One of a few possible solutions that worked:

  • Use an active list in addition to the long-term tracking on session list
  • Active List: Username (key), Source Zone
  • When new login events trigger rule, check if username already on active list
  • Use local variable to derive prior active list entry's source zone ($Var_PriorZone)
  • Trigger correlation event if new login event's source zone != $Var_PriorZone

View solution in original post

0 Likes
1 Reply
Highlighted
Absent Member.
Absent Member.

Re: How to trigger notification based on concurrent logins from different source zones

Jump to solution

One of a few possible solutions that worked:

  • Use an active list in addition to the long-term tracking on session list
  • Active List: Username (key), Source Zone
  • When new login events trigger rule, check if username already on active list
  • Use local variable to derive prior active list entry's source zone ($Var_PriorZone)
  • Trigger correlation event if new login event's source zone != $Var_PriorZone

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.