Graylog 3.1 Correlation Alert unexpected operation

I have an event for every successful AD login.
Each event is set to fire when there is a successful AD logon keyed off UserID

I was trying to test throw a Correlation alert from these events, to test how the correlation engine works my first attempt was (this is where I stopped since it doesn’t seem to work as I had hoped/thought):
for last 1 min
run every 1 min
if AD Success Logon
times 3
Key UserID
Send Email Notification
Backlog 5

What happens:
It appears to be the Alert fires:

  1. Only after three AD Success Logon events (as expected)
  2. For any three AD Success Logon events - NOT BY KEY: UserID (Not as expected)
  3. No matter the backlog log set for the notification only one shows in the email. (though this may not be an issue since during testing each Alert was truly for one Key: UserID)
  4. An Alert for each unique UserID (as expected)

What I would have expected to happen was:

  1. After three events of the same type (AD Success Logon) with the same Key: UserID, I would get an Alert.
  2. The Backlog data would only contain the Key: UserID events that happened within the above criteria i.e. last 1 min 3 AD Success Logons for Key UserID 3 or more.

I guess my questions are A. am I off on how this should work? B. if this is the intended operation can it be changed/updated to say correlate to the Key(s)?

I believe it would be a much more useful tool if it would operate as I had expected it too. Currently the Correlation event described above would fire every time there were three AD Success Logon events even if there was not three with the same Key: UserID, without it matching on both event type and Key you get alerts when there aren’t truely the correct criteria matching i.e. the event happened by the same Key: UserID.

Hello Allen,

when you are saying “keyed off UserID” did you configure the UserID as an Event Key
for the event definition that creating the AD login events?
The correlation engine automatically uses the keys of the underlying events.

Yes I did. I have found since posting the quest found that it actually is keying off the UsserID correctly. What it doesn’t do though is give me the backlog
data as expected. No matter what the backlog is set to only one message makes it into the backlog data. This is an issue when setting a correlation event with two steps and you want all the messages that correlate to that event like say:

For AD looking for an account being attacked:

Failed logins >= 5

Followed by:

Successful logon

In my notification email I only get one message which is the successful logon event.

Here is the email content:

— [Event Definition] ---------------------------

Title: AD Alert: Account Attack

Description:

Type: correlation-v1

— [Event] --------------------------------------

Timestamp: 2019-12-02T02:09:23.000Z

Message: AD Alert: Account Attack

Source: seclogserver.messiah.edu

Key: cw1396

Priority: 3

Fields:

UserID: cw1396

Last Events accounting for this Alert:

Message: AD Successful Logons: cw1396|153.42.16.6|4624 - count(TargetUserName)=1.0

Event-ID: 4624

UserID: cw1396

IP: 153.42.16.6

Last Events accounting for this Alert 2:

Message: AD Successful Logons: cw1396|153.42.16.6|4624 - count(TargetUserName)=1.0

Here is the JMTE:

— [Event Definition] ---------------------------

Title: ${event_definition_title}

Description: ${event_definition_description}

Type: ${event_definition_type}

— [Event] --------------------------------------

Timestamp: ${event.timestamp}

Message: ${event.message}

Source: ${event.source}

Key: ${event.key}

Priority: ${event.priority}

Fields:

{foreach event.fields field} {field.key}: {field.value}{end}

${if backlog}

Last Events accounting for this Alert:

${foreach backlog message}

Message: ${message.message}

${foreach message.fields.fields field}

{field.key}: {field.value}${end}

${end}

${else}

${end}

${if backlog}

Last Events accounting for this Alert 2:

${foreach backlog message}

Message: ${message.message}

${end}

${else}

${end}

image001.png

Yes, this is on purpose. We figured that the last event that passes the correlation rule chain is the significant event. Including all previous events in the backlog was technically difficult to implement efficiently.
We’re planning to include a URL in the notification that would lead to a search page showing the related events / messages instead.

That would be helpful, what is the planned date of that implementation?

image001.png

Probably with 3.3, But I can’t say for certain :frowning: :slight_smile: