IBM Security QRadar

I'm trying to set up the above, so when an enrollment event happens after a successful authentication event, that we receive an email, and take a look to see if something interesting is happening with a users account.

So far I've come up with this:

Building block for enrollment events
Building block for duo authentication events

Rule:  when BB: duo_eventtype_enrollment match at least 1 times in 10 minutes after any of BB: duo_eventtype_auth match

The problem is that I need to add logic that looks username.  Right now this will fire just because these two things happened, but it can be for different users... So it's a noisy alert.  But if I could add in logic that makes it only fire when this happens for the same username, it would clean that up a lot.

Any ideas?  Thank you.

------------------------------
bryan mcclenahan
------------------------------

Was it this type of criteria you were looking for?
and when these rules match at least this many times with the same event properties in this many minutes after these rules match

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Mon November 28, 2022 11:30 AM
From: bryan mcclenahan
Subject: DUO use case for alerting - new device enrollment for same username after successful authentication

I'm trying to set up the above, so when an enrollment event happens after a successful authentication event, that we receive an email, and take a look to see if something interesting is happening with a users account.

So far I've come up with this:

Building block for enrollment events
Building block for duo authentication events

Rule:  when BB: duo_eventtype_enrollment match at least 1 times in 10 minutes after any of BB: duo_eventtype_auth match

The problem is that I need to add logic that looks username.  Right now this will fire just because these two things happened, but it can be for different users... So it's a noisy alert.  But if I could add in logic that makes it only fire when this happens for the same username, it would clean that up a lot.

Any ideas?  Thank you.

------------------------------
bryan mcclenahan
------------------------------

Original Message:
Sent: 11/29/2022 11:50:00 AM
From: Dusan VIDOVIC
Subject: RE: DUO use case for alerting - new device enrollment for same username after successful authentication

Was it this type of criteria you were looking for?
and when these rules match at least this many times with the same event properties in this many minutes after these rules match

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Mon November 28, 2022 11:30 AM
From: bryan mcclenahan
Subject: DUO use case for alerting - new device enrollment for same username after successful authentication

I'm trying to set up the above, so when an enrollment event happens after a successful authentication event, that we receive an email, and take a look to see if something interesting is happening with a users account.

So far I've come up with this:

Building block for enrollment events
Building block for duo authentication events

Rule:  when BB: duo_eventtype_enrollment match at least 1 times in 10 minutes after any of BB: duo_eventtype_auth match

The problem is that I need to add logic that looks username.  Right now this will fire just because these two things happened, but it can be for different users... So it's a noisy alert.  But if I could add in logic that makes it only fire when this happens for the same username, it would clean that up a lot.

Any ideas?  Thank you.

------------------------------
bryan mcclenahan
------------------------------