Correlation Blok (ECL) Examples

USE LogLogic_Appliance 
WITHIN 30m  
EVENT GROUP [My EVENTS]

This Blok triggers a new alert at the first event and accumulate all events during 30 minutes time period.

USE LogLogic_Appliance WITHIN 30m
EVENT GROUP [My EVENTS]
HAVING AT LEAST 1 DISTINCT [ll_sourceDomain]
HAVING AT LEAST 1 DISTINCT [ll_deviceTypeID]

This Blok does the same as Blok Example 1, but the alerts generated then give information about the number of distinct ll_sourceDomain or ll_deviceTypeID and their values.

USE LogLogic_Appliance WITHIN 30m
EVENT GROUP [My EVENTS]
WHERE [ll_deviceTypeID] ="17"
HAVING AT LEAST 2 DISTINCT [ll_sourceIP]

This Blok filters events that have ll_deviceTypeID equal to "17", and at least 2 distinct values of ll_sourceIP

USE LogLogic_Appliance WITHIN 30m
EVENT GROUP [suspiciousSources] AT LEAST 100 EVENTS
WHERE [ll_deviceTypeID] ="17"
WITH THE SAME [ll_sourceIP]
HAVING AT LEAST 1 DISTINCT [ll_eventStatus]

This Blok looks for at least 100 events with the same criteria as the previous one, coming from the same ll_sourceIP and giving information about the number of distinct ll_eventStatus and their value.

USE LogLogic_Appliance WITHIN 30m
EVENT GROUP [suspiciousUsers] AT LEAST 100 EVENTS
WHERE [ll_deviceTypeID] ="17"
WITH THE SAME [ll_sourceUser]
HAVING AT MOST 1 DISTINCT [ll_eventStatus]
HAVING AT LEAST 10 DISTINCT [ll_sourceIP]

This Blok filters the event the same way as the previous one, and is looking for 100 events from the same ll_sourceUser that have at least 10 distinct values of ll_sourceIP and at most 1 distinct value of ll_eventStatus.

USE LogLogic_Appliance WITHIN 30m 
EVENT GROUP [success] AT LEAST 1 EVENTS 
WHERE [ll_deviceTypeID] ="17" AND [ll_eventStatus] = "success" 
WITH THE SAME [ll_sourceUser],[ll_sourceIP] 
EVENT GROUP [failed] AT LEAST 1 EVENTS 
WHERE [ll_deviceTypeID] ="17" AND [ll_eventStatus] ="failure" 
WITH THE SAME [ll_sourceUser],[ll_sourceIP] 
CORRELATION success->[ll_sourceIP]== failed->[ll_sourceIP] 
success->[ll_sourceUser]== failed->[ll_sourceUser]

This Blok looks at two groups of events happening within 30 minutes. The first event group is success audit from the same ll_sourceIP/ll_sourceUser and the second group is failed status grouped the same way. The Blok is triggered if the fields grouped on both event groups are same.

USE LogLogic_Appliance WITHIN 30m 
EVENT GROUP [success] is excluded AT LEAST 1 EVENTS 
WHERE [ll_deviceTypeID] ="17" AND [ll_eventStatus] ="success" 
WITH THE SAME [ll_sourceUser],[ll_sourceIP] 
EVENT GROUP [failed] AT LEAST 1 EVENTS 
WHERE [ll_deviceTypeID] ="17" AND [ll_eventStatus] = "failure" 
WITH THE SAME [ll_sourceUser],[ll_sourceIP] 
CORRELATION success->[ll_sourceIP]== failed->[ll_sourceIP] 
success->[ll_sourceUser]== failed->[ll_sourceUser]

Same as the previous Blok, but this time the Blok is triggered if there are only failed events within 30m for the same ll_sourceIP / ll_sourceUser.

USE LogLogic_Appliance WITHIN 30m 
EVENT GROUP [users] 
WHERE [ll_eventStatus] ="failure" OR [ll_eventStatus]="success" 
WITH THE SAME [ll_sourceUser] 
HAVING AT LEAST 2 DISTINCT [ll_eventStatus]

This Blok looks for users that have events with ll_eventStatus equal to either failed or success.

USE LogLogic_Appliance WITHIN 30m
EVENT GROUP [success] is excluded AT LEAST 1 EVENTS
WHERE [ll_deviceTypeID] ="17" AND [ll_eventStatus] ="Success"
WITH THE SAME [ll_sourceUser],[ll_sourceIP]
EVENT GROUP [failed] AT LEAST 1 EVENTS
WHERE [ll_deviceTypeID] ="17" AND [ll_eventStatus] = "Failure"
WITH THE SAME [ll_sourceUser],[ll_sourceIP] 
CORRELATION success->[ll_sourceIP]== failed->[ll_sourceIP] success->[ll_sourceUser]== failed->[ll_sourceUser]

Same as the previous Blok with an additional constraint that there are twice as many failed than success events.

use system WITHIN 20m 
EVENT GROUP eg1 
WHERE matchcidr("IPList",sys_collectIP,"IP1")

For an enrichment list named IPList:

{"192.168.56.101/32":"IP1","191.163.56.101/32":"IP2","198.168.0.0-198.168.255.255":"IP3","2001:4860:4860::8888/32":"IP4"}

and for sys_collectIP="192.168.56.101",198.168.56.101", then: