Topic
  • No replies
QradarNewbie
QradarNewbie
1 Post

Pinned topic Building Blocks to Event Rules Correlation

‏2016-03-08T19:36:44Z | buildingblock

Bottom Line Up Front: Is there a way to determine what rules are using existing building blocks (BB)?  (i.e: Building Block to Rule linkage)

Background: I have a custom rule to trigger an alert on 3 or more authentication failures in a 5 minute period.  For some reason, two BB:FalsePositive building block rules are interfering with the event triggering an offense.  I have figured out what in the BB logic is causing this, but before I mess around with it, I want to see what other rules I might impact by editing the BB.

 

My issue is this.  I want to flag on brute force attempts to log in to a workstation.   These events do show up in the event log as "Account Failed to Log In", but the number set (3) within the time limit (5 minutes) is not triggering an offense.  A detailed look into this event reveals 127.0.0.1 as the source address.  (The destination address is the IP address of the workstation in question.)   I discovered one of the BB:FalsePositive rules is triggering false positive on the loopback address.  I am assuming this was done to remove valid bad passwords from cluttering up the display.  An offense is only flagged when the user is locked out.   Before I remove the rule on the loopback address in the BB, I want to determine what other rules might be relying on this BB.

 

Thanks in Advance.