Sign in

SIEM Example Workflow (very simple rule)

This article will explain a simple alarm generate by Windows events.

Reminder: workflow is as follows:

  1. Raw log is sent to sensor
  2. Sensor reviews raw log during level 1 correlation to see if it should create an "Event".  
  3. Event is sent to the cloud correlation service and reviewed against other events on the same asset to see if an "Alarm" is necessary (Level 2 correlation).

This is an example Alarm generated by the cloud correlation engine as it analyzes Windows Event log events (ALARM: Windows Brute Force Attempt)


If your customer portal account profile is setup as “Intermediate” you will be able to see the events that were used by the cloud correlation engine (level 2 correlation) to determine an alarm was necessary.  You can see there are events such as “Brute force login attempt…”.   


If you click on the event and go to event details you will see the actual raw log entry from the Windows event log and the level 1 correlation rule that tripped.


If you want to see this rule any many others you can go to Sensors | ‘choose the sensor’ | and choose ‘log rules’


You can then find the rule and click on the ‘I’ to see the details.





Powered by Zendesk