Previous Topic: Apply Correlation Rules and Incident NotificationsNext Topic: Set Collection Servers

Implementation GuideConfiguring ServicesConfiguring the Correlation ServiceUsing Pre-Defined Correlation Rules

Using Pre-Defined Correlation Rules

CA User Activity Reporting Module provides a large number of pre-defined correlation rules for use in your environment, organized by type or regulatory requirement. For example, in the Correlation rules folder of the Library interface, you can see a folder titled PCI, containing rules for various PCI requirements. You can also see a folder titled Identity, which contains general-purpose rules on authorization and authentication.

There are three main types of rules, any or all of which may be included in each category. This topic gives an example of choosing and applying one of each type.

Example - Select and Apply a Simple Rule

Simple correlation rules detect the presence of one state or occurrence. For example, you can apply a rule that alerts you to account creation activity outside normal office hours. Before applying any rule, you should ensure that you have created the Notification Destinations that you want for your environment.

To select and apply the Account Creation Outside Normal Office Hours rule

  1. Click the Administration tab, then the Library subtab, and expand the Correlation Rules folder.
  2. Expand the PCI folder, then the Requirement 8 folder, and select the Account Creation Outside Normal Office Hours rule.

    The rule details appear in the right pane.

  3. Review the rule details to ensure that the rule is appropriate for your environment. In this case, the filters define the account creation action, and set the normal business hours by time and day of the week.
  4. (Optional) Click Edit at the top on the pane to modify the filter settings, if required. For example, you could change the normal work hours to fit your local specifications.

    The Manage Rule wizard opens, populated with the rule details.

  5. Add any notification details you want in the Manage Rule wizard. Notification details provide the message content that is delivered as specified in Notification Destinations.
  6. Once you have finished preparing the rule, click Save and Close in the wizard. When you edit and save a pre-defined correlation rule, CA User Activity Reporting Module automatically creates a new version, preserving the original version.
  7. Click the Services subtab, and expand the Correlation Service node.
  8. Select the server you want to apply the rule on. If you have identified a Correlation Server you should select that server.
  9. Click Apply in the Rule Configuration area, and select the new version of the Account Creation Outside Normal Business Hours rule, along with the Notification Destination you want associated with it.
  10. Click OK to close the dialog and activate the rule.

Example - Select and Apply a Counting Rule

Counting correlation rules identify a series of identical states or occurrences. For example, you can apply a rule that alerts you to five or more failed logins by an Administrator account. Before applying any rule, you should ensure that you have created the Notification Destinations that you want for your environment.

To select and apply the 5 Failed Logins by Administrator Account rule

  1. Click the Administration tab, then the Library subtab, and expand the Correlation Rules folder.
  2. Expand the Threat Management folder, then the Suspicious Account and Login Activity folder, and select the 5 Failed Logins by Administrator Account rule.

    The rule details appear in the right pane.

  3. Review the rule details to ensure that the rule is appropriate for your environment. In this case, the filters define an Administrator account as a username belonging to the 'Administrators' keyed list, and sets the count threshold to 5 events in 60 minutes.
  4. (Optional) Click Edit at the top on the pane to modify the filter settings, if required. For example, you could change the time threshold to 3 events in 30 minutes.

    The Manage Rule wizard opens, populated with the rule details.

  5. Add any notification details you want in the Manage Rule wizard. Notification details provide the message content that is delivered as specified in Notification Destinations.
  6. Once you have finished preparing the rule, click Save and Close in the wizard. When you edit and save a pre-defined correlation rule, CA User Activity Reporting Module automatically creates a new version, preserving the original version.
  7. Click the Services subtab, and expand the Correlation Service node.
  8. Select the server you want to apply the rule on. If you have identified a Correlation Server you should select that server.
  9. Click Apply in the Rule Configuration area, and select the new version of the 5 Failed Logins by Administrator Account rule, along with the Notification Destination you want associated with it.
  10. Click OK to close the dialog and activate the rule.

Example - Select and Apply a State Transition Rule

State transition correlation rules identify a series of states or occurrences in turn. For example, you can apply a rule that alerts you to failed logins followed by a successful login from the same user account. Before applying any rule, you should ensure that you have created the Notification Destinations that you want for your environment.

  1. Click the Administration tab, then the Library subtab, and expand the Correlation Rules folder.
  2. Expand the Identity folder, then the Authentication folder, and select the Failed Logins Followed by Success rule.

    The rule details appear in the right pane.

  3. Review the rule details to ensure that the rule is appropriate for your environment. In this case, the details pane displays the two states that the rule tracks. The first is five or more failed logins by the same user account or identity. The second is a successful login by that same user or identity.
  4. (Optional) Click Edit at the top on the pane to modify the state settings, if required.

    The Manage Rule wizard opens, displaying the two states that make up the rule.

  5. Double-click any state you want to change.

    The State Definition wizard appears, displaying the details of the state.

  6. Make any state changes you want to the state you selected., and click Save and Close to return to the Manage Rule wizard. For example, the first state checks for 5 failed logins in 10 minutes. You could change the failed login threshold, or the time, or both.
  7. Add any notification details you want in the Manage Rule wizard. Notification details provide the message content that is delivered as specified in Notification Destinations.
  8. Once you have finished preparing the rule, click Save and Close in the wizard. When you edit and save a pre-defined correlation rule, CA User Activity Reporting Module automatically creates a new version, preserving the original version.
  9. Click the Services subtab, and expand the Correlation Service node.
  10. Select the server you want to apply the rule on. If you have identified a Correlation Server you should select that server.
  11. Click Apply in the Rule Configuration area, and select the new version of the Failed Logins Followed by Success rule, along with the Notification Destination you want associated with it.
  12. Click OK to close the dialog and activate the rule.

More information:

About Incident Notifications

About Correlation Rules

Set Notification Defaults

Apply Correlation Rules and Incident Notifications