Proteggiamo il tuo ambiente digitale da qualsiasi attacco informatico. Sfrutta tutte le potenzialità della piattaforma SGBox!

Gallery

Contatti

Via Melchiorre Gioia, 168 - 20125 Milano

info@sgbox.it

+39 02 60830172

Search another article?

Multiple events correlation rule

You are here:
< Back

The multi-events correlation rules

A correlation rule is used to alert the admin when an event, or a series of events, occur in a specified time range.
In order to create a multi-events rule following requirements are needed:

Requirements:

  • A mail server must be configured. Look this section to see how to configure a mail server.
  • Pattern must belong to specific class.

Using the SGBox web interface: SGBOX > LCE > Rules
Multiple events correlation rule

Clink on New Rule

Multiple events correlation rule

On the left section,tab Events, find the interested events and drag it in correct section on the right.

Multiple events correlation rule

Timeout is the maximum time between the fist and last event.
In this case rule has been verified if: at least three login fail happen within 300 seconds.

You can make the rule more specif by connect some parameters between the events:
Selecting the down arrow the events menu is shown, you can select the Previous Host option in order to tell SGBox that second event must be occur on the same host as previous.
Select in the Relative column to connect the parameter between events.
In this case the second event’s TargetUserName must be the same as first event’s TargetUserName.
Multiple events correlation rule

We tell SGBox also that:

  • the third event must be occur on the same host as second
  • third event’s TargetUserName must be the same as second event’s TargetUserName

Multiple events correlation rule

Click on Save to save the rule.
Give a name, description, and click on Active flag to enable it.