I want to create a correlation rule on my log decoder to find failed RSA authentications from 1 source using multiple user IDs within 5 minutes.
Here's what I've got for my correlation rule:
Condition: event.cat.name=auth.failures && device.type=rsaacesrv
Threshold: u_count(user.dst)>2
InstanceKey: ip.src
Time Window: 5 minutes
When I validate the rule I get "There was an unspecified error parsing the rule."
When I try to apply the rule I get "threshold field error. Expect: thresh=op-string(key-string)>value[mb|kb|gb]"
OK, it doesn't like that. I added user.dst to the Instance Key so that this is what my rule looked like:
Condition: event.cat.name=auth.failures && device.type=rsaacesrv
Threshold: u_count(user.dst)>2
InstanceKey: ip.src, user.dst
Time Window: 5 minutes
When I validate the rule I get "There was an unspecified error parsing the rule." again.
When I try to apply the rule I get a different error: "Correlation compound keys must have the same format for both elements. Key ip.src format IPv4 is not the same as key user.dst format Text."
I don't think I'm understanding properly what Condition, Threshold, and Instance Key are specifying in any given Correlation Rule. Can anyone help me out?
