Highlighted
josh_tonak Super Contributor.
Super Contributor.
519 views

Track large time windows

Jump to solution

Say I want to alert on 25 failed logins over 1 minute for a single user, that's easy. Make a rule to find 25 in 1 minute. What if I want to find 25 failed logins over 1 hour? I don't think I want to have a rule with an hour time window. I thought about having a rule add to an active list for each failure event but then how does an alert get created when that list hits the magic 25 number for a particular user? What is a good way to correlate items over large time windows like an hour?

Unless we schedule a rule to run every hour...there's an idea!

Labels (2)
0 Likes
1 Solution

Accepted Solutions
momu@tdc.dk Absent Member.
Absent Member.

Re: Track large time windows

Jump to solution

Hello Josh,

That is actually very easy:

Create standard realtime rule with filter:

DeviceEventClassID = activelist:103

File name = <Name of Active List>

DeviceCustomNumber1 > 25 (or whatever threshold you want)

Remember to set the TTL on the Active List to 1 hour (or whatever expire-value you want).

0 Likes
7 Replies
rhope Acclaimed Contributor.
Acclaimed Contributor.

Re: Track large time windows

Jump to solution

Scheduled rules and Active lists are an option, you can also do it with layered rules though the time window becomes problematic. Short term multiple failed logins (say 5 in 1 minute) and then Long term is 5 short term in an hour

0 Likes
rhope Acclaimed Contributor.
Acclaimed Contributor.

Re: Track large time windows

Jump to solution

The hour time window is ok in this instance as you'll have far less events to hold for aggregation

0 Likes
rhope Acclaimed Contributor.
Acclaimed Contributor.

Re: Track large time windows

Jump to solution

There are pros and cons for each approach. For Scheduled rules the problem is they don't  account for multiple failed logins straddling a time window. Active Lists are probably the most accurate but are a bit more complex to implement. Layered rules don't catch the low and slow quite so well...


0 Likes
momu@tdc.dk Absent Member.
Absent Member.

Re: Track large time windows

Jump to solution

Hello Josh,

That is actually very easy:

Create standard realtime rule with filter:

DeviceEventClassID = activelist:103

File name = <Name of Active List>

DeviceCustomNumber1 > 25 (or whatever threshold you want)

Remember to set the TTL on the Active List to 1 hour (or whatever expire-value you want).

0 Likes
josh_tonak Super Contributor.
Super Contributor.

Re: Track large time windows

Jump to solution

That's what I was missing. I didn't know the 103 events had a count listed. Thanks!

0 Likes
josh_tonak Super Contributor.
Super Contributor.

Re: Track large time windows

Jump to solution

So there are more failed logons than I anticipated. The list counts just grow and grow and every time it adds (which is about every minute) my second rule to fire on excess of 25 just keeps firing with everything over 25 and since the list entries keep getting updated they never fall off so the hour turns into a days worth. I tried a scheduled rule but that didn't work. I've just tried a 1 hour time window with 25 count standard rule and it's firing after 5 every minute. I've set the action to every threshold. Does it take into account the base event aggregated event count? Because each of the 5 correlated by the rule has 6 aggregated event count already so that would be 30.

0 Likes
momu@tdc.dk Absent Member.
Absent Member.

Re: Track large time windows

Jump to solution

You want a 'remove from active list' action on the rule that fires on 'DeviceEventClassID = activelist:103'.

The different 'action' types are not exactly user-friendly (as you discovered).

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.