Correlation Blok (ECL) Examples
When a Blok triggers, it creates a correlation event result in forensic or search mode and executes the actions of the associated trigger (create alert, notify by email or syslog) in the real-time mode.
| Blok | Definition |
|---|---|
USE LogLogic_Appliance WITHIN 30m EVENT GROUP [My EVENTS] |
Blok Example 1:
This Blok triggers a new alert at the first event and will accumulate all events during 30 minutes time period. |
USE LogLogic_Appliance WITHIN 30m EVENT GROUP [My EVENTS] HAVING AT LEAST 1 DISTINCT [ll_sourceDomain] HAVING AT LEAST 1 DISTINCT [ll_deviceTypeID] |
Blok Example 2:
This Blok does the same as Blok Example 1 but the alerts generated will then give information about the number of distinct ll_sourceDomain / ll_deviceTypeID and their values. |
USE LogLogic_Appliance WITHIN 30m EVENT GROUP [My EVENTS] WHERE [ll_deviceTypeID] ="17" HAVING AT LEAST 2 DISTINCT [ll_sourceIP] |
Blok Example 3:
This Blok filters events which have ll_deviceTypeID equal to "17", and at least 2 distinct values of ll_sourceIP |
USE LogLogic_Appliance WITHIN 30m EVENT GROUP [suspiciousSources] AT LEAST 100 EVENTS WHERE [ll_deviceTypeID] ="17" WITH THE SAME [ll_sourceIP] HAVING AT LEAST 1 DISTINCT [ll_eventStatus] |
Blok Example 4:
This Blok looks for at least 100 events with the same criteria as the previous one, coming from the same ll_sourceIP and giving information about the number of distinct ll_eventStatus and their value. |
USE LogLogic_Appliance WITHIN 30m EVENT GROUP [suspiciousUsers] AT LEAST 100 EVENTS WHERE [ll_deviceTypeID] ="17" WITH THE SAME [ll_sourceUser] HAVING AT MOST 1 DISTINCT [ll_eventStatus] HAVING AT LEAST 10 DISTINCT [ll_sourceIP] |
Blok Example 5:
This Blok filters the event the same way as the previous one, and is looking for 100 events from the same ll_sourceUser that have at least 10 distinct ll_sourceIP and at most 1 distinct ll_eventStatus. |
USE LogLogic_Appliance WITHIN 30m EVENT GROUP [success] AT LEAST 1 EVENTS WHERE [ll_deviceTypeID] ="17" AND [ll_eventStatus] = "success" WITH THE SAME [ll_sourceUser],[ll_sourceIP] EVENT GROUP [failed] AT LEAST 1 EVENTS WHERE [ll_deviceTypeID] ="17" AND [ll_eventStatus] ="failed" WITH THE SAME [ll_sourceUser],[ll_sourceIP] CORRELATION success->[ll_sourceIP]== failed->[ll_sourceIP] success->[ll_sourceUser]== failed->[ll_sourceUser] |
Blok Example 6:
This Blok looks at two groups of events happening within 30 minutes. The first event group is success audit from the same ll_sourceIP/ll_sourceUser and the second group is failed status grouped the same way. The Blok is triggered if the fields grouped on both event groups are same. |
USE LogLogic_Appliance WITHIN 30m EVENT GROUP [success] is excluded AT LEAST 1 EVENTS WHERE [ll_deviceTypeID] ="17" AND [ll_eventStatus] ="success" WITH THE SAME [ll_sourceUser],[ll_sourceIP] EVENT GROUP [failed] AT LEAST 1 EVENTS WHERE [ll_deviceTypeID] ="17" AND [ll_eventStatus] = "failed" WITH THE SAME [ll_sourceUser],[ll_sourceIP] CORRELATION success->[ll_sourceIP]== failed->[ll_sourceIP] success->[ll_sourceUser]== failed->[ll_sourceUser] |
Blok Example 7:
Same as the previous Blok but this time the Blok is triggered if there are only failed events within 30m for the same ll_sourceIP / ll_sourceUser. |
USE LogLogic_Appliance WITHIN 30m EVENT GROUP [users] WHERE [ll_eventStatus] ="failed" OR [ll_eventStatus]="success" WITH THE SAME [ll_sourceUser] HAVING AT LEAST 2 DISTINCT [ll_eventStatus] |
Blok Example 8:
This Blok looks for users that have events with ll_eventStatus equal to either failed or success. |
use system
USE LogLogic_Appliance WITHIN 30m EVENT GROUP [users] WHERE [ll_eventStatus] ="failed" OR [ll_eventStatus]="success" WITH THE SAME [ll_sourceUser] HAVING AT LEAST 2 DISTINCT [ll_eventStatus] HAVING SUM([ll_eventStatus] ="failed") > ( 2 *SUM([ll_eventStatus] ="success")) |
Blok Example 9:
Same as the previous Blok with an additional constraint that there are twice as many faileds han success events. |