Sign in
Follow

SIEM Example Workflow (very simple rule)

This article will explain a simple alarm generate by Windows events.

Reminder: workflow is as follows:

  1. Raw log is sent to sensor
  2. Sensor reviews raw log during level 1 correlation to see if it should create an "Event".  
  3. Event is sent to the cloud correlation service and reviewed against other events on the same asset to see if an "Alarm" is necessary (Level 2 correlation).

This is an example Alarm generated by the cloud correlation engine as it analyzes Windows Event log events (ALARM: Windows Brute Force Attempt)

a1.png

If your customer portal account profile is setup as “Intermediate” you will be able to see the events that were used by the cloud correlation engine (level 2 correlation) to determine an alarm was necessary.  You can see there are events such as “Brute force login attempt…”.   

a2.png

If you click on the event and go to event details you will see the actual raw log entry from the Windows event log and the level 1 correlation rule that tripped.

a3.png

If you want to see this rule any many others you can go to Sensors | ‘choose the sensor’ | and choose ‘log rules’

a4.png

You can then find the rule and click on the ‘I’ to see the details.

a5.png 

 

 

Comments

Powered by Zendesk