Should I flood my events stream with events used for correlation?

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
I’d like to use an event correlation but I am not sure if the correct way to do it is to flood my Alerts & Events tab with all the data needed to create the correlation event.

I would like to alert on a single IP address having over 100 failed kerberos pre-auth. The only way I can think to do this is by using Event correlation. I create the event “failed kerberos pre-auth” with the key of “IP_address”. Then I make an event correlation for if IP_address from that event shows up 100 times send me a notification.

My problem with this is that my Event & Alerts tab will be flooded with garbage events that mean nothing. Only the correlated event will be useful. Is there a better way to do this or should I just flood it?

2. Describe your environment:

  • OS Information:
    RHEL 7
  • Package Version:
  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?

4. How can the community help?

I’d like to know either what other people do in this scenario or what they do to work around it.

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

@Hashcab, what you are describing is not really a correlated event. It’s referred to as an aggregated event.

First things first, you will need to be working with parsed messages, where the message is broken out into fields. Have you done that yet?

Please share the event definition page, and I will try to guide you on how to do it. It’s not difficult once you see how it’s done.

Yes, all of the fields in my messages are parsed. What I meant for the IP address failing to logon to several accounts is that I can’t figure out a way to alert on a field’s value being the same for 100+ messages. If I suspected that IP address will password spray then I am able to query on “IP_address:” then set the aggregate to be above 100. But I want to make that IP address in the query variable because I do not know which IP will password spray, the only way I can think to do this is through correlation using IP_address as the key.

Another example for my correlation question could be alerting on 5 failed logons followed by an account lockout. In order to alert on the 5 failed logons, would I have to create a “failed logon” event? My frustration with this is that I do not want to flood my Events tab with failed logons that mean nothing only to satisfy a correlation event.

Let me know if that made any sense! Thanks for the help!

Your first use case does not require a correlated event, but an aggregated event. You can use the Group By feature to restrict your evaluations to individual IP’s. Then you set your X occurrences over Y time condition below that and it will count to 100 by source IP, not the total number of failed logins.

You could use this same example in your correlated alert. Then you get one event for five failed logins, one event for account lockout, then you put those together for the correlated alert.

Thanks for the help! It looks like the Group By feature will do what I was looking for!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.