Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
1. Describe your incident:
I am trying to get some correlation rules configured for the first time so bear with me if I did something thats obviously wrong.
As a tester I wanted to configure a notification to be sent anytime the same source ip (field in logs is defined as src_ip) fails to login to the VPN x number of times (currently at >=2) followed by a successful login.
As of right now, I got it to where I get the notification, but the link in the email leads me to a page that says: “Loading component failed: l.replay_info is null”.
I tried looking up this error message but couldn’t find any info on it.
2. Describe your environment:
We are running Graylog Cloud, 2 node cluster. The logs I am trying to alert on are Cisco ASA logs. If you need other information, let me know.
3. What steps have you already taken to try and solve the problem?
I had originally suspected my issue was with my defined fields in my alert definitions so I have played with that a lot.
I made sure to read through the documentation but nothing specific in there (that I could see) which solves my problem.
Not even sure where to look.
4. How can the community help?
Point me in right direction to look so I can get these search replays. Search replays work for basic event aggregation alerts but not for this search correlation alert.
Type
Aggregation
Search Query
( source:asa1 OR source:asa2 ) AND event_code:113005
Search Filters
No filters configured
Streams
[ASAs]
Search within
5 minutes
Execute search every
1 minutes
Enable scheduling
yes
Group by Field(s)
src_ip
Create Events if
count(src_ip) > 1
Actions
[Replay search play_arrow]
Fields
Keys
srcip
srcip
Is Key?
Yes
Data Type
string
Value source
Template
Template
${source.src_ip}
Validate that all Template values are set
No
Success Definition:
Type
Aggregation
Search Query
( source:asa1 OR source:asa2 ) AND event_code:113039
Search Filters
No filters configured
Streams
[ASAs]
Search within
5 minutes
Execute search every
3 minutes
Enable scheduling
yes
Group by Field(s)
src_ip
Create Events if
count(src_ip) >= 1
Actions
[Replay search play_arrow]
Fields
Keys
srcip
srcip
Is Key?
Yes
Data Type
string
Value source
Template
Template
${source.src_ip}
Validate that all Template values are set
No
Correlation Definition:
Correlate Events within
10 minutes
Execute Correlation every
4 minutes
Enable scheduling
yes
Event #1
Testing - VPN Login Failure: Same Source IP
Should occur 1 time
Event #2
Testing - ASA VPN Login Successful
Should occur 1 time
Fields
Keys
sourceip_
sourceip_
Is Key?
Yes
Data Type
string
Value source
Template
Template
${source.srcip}
Validate that all Template values are set
Yes
Notifications
Settings
Grace Period is set to 1 minute
Notifications will include 3 messages
Testing - Email Testing Notification
Email Notification
Something I am not clear on, for the fields. Maybe someone can help explain those. If I am looking to correlate src_IP between 2 event definitions, can I just use src_IP for both name and value?
Additionally, is a search replay even possible with correlation alerts. I just used a copy of the event definition email alert here so it might be putting in an event link that doesn’t even work/exist.
EDIT: Maybe this is the type of thing only available in GL Security? I have an Enterprise license. What I am looking for is to get a searchable link accompanying my correlation alert email.
The 5.2 “fix” was to hide the replay link for correlation events. That action is not supported.
You can still perform replay on the individual events that are being correlated.
Well, that’s unfortunate. It was a big feature of other SIEMs I have used (like offenses in QRadar) was to define correlation logic, then have all the relevant events added to a single search space.
I have found a temporary solution around it where I have done a search then just slapped that search URL into my notification email where certain properties get replaced with the field that the correlation indexes on.
Example would be something like this:
Alert Replay: ${http_external_uri}search?q=%28source_ip%3A${event.key}+OR+src_ip%3A${event.key}+OR+${event.key}%29+AND+NOT+%28event_code%3A725001+OR+event_code%3A725016+OR+event_code%3A725002+OR+event_code%3A725007+OR+event_code%3A722035+OR+event_code%3A106023%29&rangetype=relative&streams=63efd5ef8204a3278b7c5fc4&from=172800
Still need to test it out but hoping it will work.
I wondered if Investigations in GRaylog security do this. I’ll have to demo that.
Security investigations do pull together information from many sources.
But iff you find this is not well supported in GL, please do file a feature request so it can be considered for future versions.
