Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Help with a correlation rule? "Unauthorized login"

Created: 08 Feb 2013 | 5 comments

We have several systems, which are primarily used by only one individual.

We would like to be able to see if/when a "new" user logs in to that system. Similar to an "X not follwed by X" rule, but not sure if or how we can establish criteria for the primary user, and differentiate them from an "unauthorized" user.

This is a college campus, and there are "oportunities" for student workers to have access to exam information which may be kept on local drives.

Any direction would be appreciated.

Thanks!

Ron

Comments 5 CommentsJump to latest comment

mathell's picture

I'm going to assume what you mean is that each system has a primary user, and that you want to alert when someone other than the primary user logs in to that system?  

in order to do that effectively, you'd have to create a profile or baseline for each user or machine. That sounds a lot like [user behavior] anomaly detection. There are solutions designed for that purpose, but SSIM isn't one of them. QRadar supposedly has some features like this.  And there's Securonix. Getting back to SSIM though...

I don't think doing this automagically with correlation rules in the SSIM is possible. The only way I think you can do this is by manually creating relationships between systems and primary users (the profile). If you only have several systems (versus thousands), that should be easy enough to do.

Another alternative is to trigger whenever more than one user logs into a single system. Obviously that would only work if the primary user logged in with the same ~24 hour period.  It would also require a lot of tuning out of "system" time logins.

 

MegL's picture

I don't know the quantity of systems but if it isn't too many, here is probably what you want to do (Caveat: only on 4.7 and above). The success of this will also depend on the collectors and information you have being collected into the SSIM. SCSP may work better than generic OS because you can tune it to more specific events.  It will need tuning to your specifics but it can give you the general rule.

Create a table: Userlogin. Two columns, make the primary key called username and define it as string.

Create a rule "Lookup Table Update Rule" - This should be event specific "When Somebody logs in to the system, put the username in the system lookup table"  (Note, login likely is not the best event, you may want something more specific that is definitely run by the system owner) . Define the table as the userlogin table, and make sure the event field specifies the Username. The timeout should maybe be over 24 hours, but I am not sure that works. You can try.

Then you write a second rule which alerts on things not in that table. You can do a table a system if there aren't a lot. You may not want a rule, but a query at the end of each day if thats more relevant to your use case.

 

VSK's picture

You have to use the windows event collector. Then create a rule for the user.

-VSK

mathell's picture

@Meg, I considered that as well, but that solution has a couple potention problems.  The biggest one being that it seems to require proper ordering of the triggers/rules. If the lookup table update occurs before the alerting rule, then the latter will never trigger right? Do you know if there a way to guarantee the order in which rules are applied? One other potential problem is that unless you have a separate update rule and table for each system, you will be adding all users that log into any system.  Neither of those options seems acceptable, but I guess whatever works for the OP.

 

mohpossum's picture

Thanks for the input! Very good points, and I will try to work with what you've supplied. It moves me much further along!

Have a great week, what's left of it!

Ron

It always rains...at the end of a dry spell.