The multi-events correlation rules

A correlation rule is used to alert the admin when an event, or a series of events, occur in a specified time range.
In order to create a multi-events rule following requirements are needed:

Requirements:

• A mail server must be configured. Look Configure a Mail server section to see how to configure a mail server.
• Pattern must belong to specific class.

Using the SGBox web interface: SGBOX > LCE > Rules

Clink on New Rule

On the left section,tab Events, find the interested events and drag it in correct section on the right.

Timeout is the maximum time between the fist and last event.
In this case rule has been verified if: at least three login fail happen within 300 seconds.

You can make the rule more specif by connect some parameters between the events:
Selecting the down arrow the events menu is shown, you can select the Previous Host option in order to tell SGBox that second event must be occur on the same host as previous.
Select in the Relative column to connect the parameter between events.
In this case the second event’s TargetUserName must be the same as first event’s TargetUserName.

We tell SGBox also that:

• the third event must be occur on the same host as second
• third event’s TargetUserName must be the same as second event’s TargetUserName

Click on Save to save the rule.
Give a name, description, and click on Active flag to enable it.