This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Login attempt use case for unix device.class

SahilArora
Beginner
Beginner

‎2018-10-02 02:17 PM

Recently we build a core environment within an existing core environment. To access that environment, only bunch of jump servers are allowed to access this environment. We are looking for a use case to be build which alert us, whenever a login attempt(success/fail) happen and source is not part of those jump server family. 

 

any help would be appreciated.

0 Likes
1 REPLY 1

EricPartington
Employee
Employee

‎2018-10-02 05:12 PM

Depending what you want to do with these alerts the you could use either a Report or ESa rule.

 

I would start with the Report section to look for hosts that are logging in to your restricted hosts from not your cleared list.

Put the hosts or networks in a list so you can manage the whitelist if you want to make it more modular.

 

you can schedule the report and have it emailed to you on a daily basis if you want to review it.

 

you will have to review the logs that you get from the unix systems to make sure that you have values for source IP to match on otherwise you wont be able to tell where the login attempt came from.

ip.src exists && device.class='unix'

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.