Statistical lists are lists that are linked to a condition.
For example, Brute Force Host, Port Scanners etc. You can use these lists when creating correlation rules.
Statistics are used when repetitive incidents are expected to occur for a specific period of time. For example, Multiple Login Failures (@@LoginFailure: mini query of login failure on any device) occur 5 times in six minutes.
Description: In terms of definition, we need to specify a name for the list.
Type: Statistical
Severity: You can decide with this severity selection how much important the list for you.
Context: You can tag the object, which enters this list, as Suspicious, Victim or Attacker for future events.
Query: As query information, you will use the @@LogonFaiure mini query because you want to use unsuccessful login operations.
Group Column: You will determine the column information to be grouped. You set it to Source.UserName.
Values Column: You will fill in the value information to be grouped. Likewise, you set it as Source.UserName.
Criteria: You choose Value Count as a criteria for how many times users will log in after a failed login attempt.
Trigger Level: If seven (7) more unsuccessful login attempts occur, users will enter the list.
Check events in last: This is where you can set the seconds to check again after seven hundred twenty (720) seconds before the same event occurs.
Update Period: You will give you the information on how long you will update for that event, ignoring the check events in the last option.
Purge Period: The number of seconds after which the information to retrieve from the list will be given. By default, it is specified as three thousand (3000) seconds.
Index Events: If you tick the Index Events option, the list will be written to the Logsign Unified SecOps Platform Index system.
Then you use the Save button to save your settings.
After creating your alarm list, you will have to create a rule based on the alerting. In this way Logsign Unified SecOps Platform will start to produce the alarms you need. You will perform our next step of creating alarms.
Using the Logsign Unified SecOps Platform WEB interface, click on the Alerts -> Alert Rules tab, then click on the New Alert Rule tab in the top right corner of the page.