TWTQ: Correlation threshold limit

TWTQ: Correlation threshold limit

Hey everyone!

We're back for TWTQ, or This Week's Top Question:

Q: What's the use of the "threshold limit" for actions when I'm creating or modifying correlation rules?

A: Let's understand how a correlation rule is structured. A correlation rule is a pattern used to detect possible security incidents in your network. This pattern is made up of a sequence of log events - a Windows logon event, a firewall denied connection, a table created in a database, etc. EventLog Analyzer collects logs from the various devices in your network, and if a sequence of logs matches this pattern, you receive an alert instantly. 

You can create custom rules by going to:
Correlation -> Manage rules -> +Create rule

You can modify existing rules by going to:
Correlation -> Manage rules -> Selecting the Update icon next to the required rule

Sometimes, the correlation rule may include a few events (or actions) that occur multiple times in succession. For instance, you may wish to detect a brute force attack by looking for five failed Windows logons, followed by a successful logon. Instead of adding the failed logon five times, you can simply use the 'Threshold limit' option, found under the advanced options for the action.

The threshold limit simply specifies how many times a specific action within the rule has to repeat for the rule to hold true. All these repetitions have to occur within the time window for that action, or the amount of time within which it follows the previous action.

Note: If you're specifying a threshold limit for the first action in the rule, you also have to provide the time window within which the repetitions have to occur.

An additional advantage of using a threshold limit is you can use the 'constant within action' field-based condition. In the brute force example, if you wish the username to be constant in all the failed logons, you can select the username field and apply the 'constant within action' condition.