IBM Security QRadar

 View Only
  • 1.  How to make a particular offence or rule

    Posted Thu May 26, 2022 05:21 AM
    Hi people,

    I wanted to ask if you could tell me how can i make a rule if a user is logged in successfully on a particular server after 3 failed attempts. I made the rule to get notifications if a user has 3 failed login attempts but now i can not figure how can i make a rule to send me a notification if the user has logged in successfully after those 3 failed attempts.

    Thank you

    ------------------------------
    Slavcho Andreevski
    ------------------------------


  • 2.  RE: How to make a particular offence or rule

    Posted Fri May 27, 2022 03:33 AM
    Slavčo, (if I understood the question properly) you can make the rule that calls other rules - such as:
    AND when these rules match at least this many times in this many minutes after any of these rules match
    or
    AND when these rules match at least this many times with the same event properties in this many minutes after these rules match
    Actually, there is a rule in QRadar already there you can maybe use as a guidance or template:
    Login Failures Followed By Success to the same Destination IP
    AND when BB:CategoryDefinition: Authentication Success match at least 1 times in 5 minutes after any of Multiple Login Failures to the Same Destination match with the same Destination IP
    If it is about specific users, you can maybe use a combination of criteria that will search in a Reference set or another building block.

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 3.  RE: How to make a particular offence or rule

    Posted Wed June 01, 2022 07:12 AM
    It is not about specific users.. I want the rule to send me notification if a username (exp. Slavcho) inputs his password wrong 3 times and than the same user logs in successfully to the domain server.. I have the rule which sends me a notification if a user inputs his password wrong. The rule that exists fires a notification for all the users not just for 1 user (i mean if 3 users input a wrong password and 4th one inputs it correctly it fires the notification which is not what i want..)

    ------------------------------
    Slavcho Andreevski
    ------------------------------



  • 4.  RE: How to make a particular offence or rule

    Posted Wed June 01, 2022 11:09 AM
    In QRadar there is by default an active rule named Multiple Login Failures for Single Username containing the following criteria/tests
    and when an event matches any of the following BB:CategoryDefinition: Authentication Failures
    and when at least 4 events are seen with the same Username in 1 minutes
    which I understand is basically what you described as a starting point.
    You can see that the first test references a Building Block - which is essentially equivalent to referencing another rule.
    (this BB tests if the events match the categories such as Authentication.Admin Login Failure, Authentication.Auth Server Login Failed, Authentication.FTP Login Failed, Authentication.General Authentication Failed, Authentication.Host Login Failed, etc.)
    Also, by default, in QRadar there is an active rule named Login Failures Followed By Success to the same Username containing the following criteria/tests:
    and when BB:CategoryDefinition: Authentication Success match at least 1 times in 5 minutes after any of Multiple Login Failures for Single Username match with the same Username
    This rule is checking if there is at least once a match a rule (here a Building Block looking for Authentication Success events) after there is a match to a rule named  Multiple Login Failures for Single Username is matched at least once.
    This rule by default sends a custom events, creates an offense; it can easily be updated to send an email as well.
    In this form, the username can be any username parsed from events, but the tests will track the repeated occurrence of a username. If you need to track one or several particular usernames (e.g. you want to track only those with some kind of privileged use), you can populate a reference set with your data and update the rule with additional test that will check if the username is in the reference set.
    Of course, you can tweak the count and time parameters to your needs.


    ------------------------------
    Dusan VIDOVIC
    ------------------------------