The ability to detect anomaly's in user logon activity, ie logging on to a system they have never used before.
by: John G. | over a year ago | Other
Micro Focus Enhancement Requests Portal is moving. We are migrating the IDEAS from this site to the New Idea Exchange on May 6th. For more information on the new Idea Exchange please visit the Community FAQs.
Votes
2
Detect anomaly's in user logon activity
by: John G. | over a year ago | Other
Comments
One idea is to setup a map that has "user,host" as its key and is configured to flag events when the "user,host" combination is already in the map. A correlation rule can then be configured to look for events where the flag is not set, which would indicate that the "user,host" combination is new and the correlation rule can trigger an alert as well as execute a WriteToMap action to write the "user,host" combination to the map so that future events with the same combination will be flag as already seen before.
https://www.netiq.com/support/sentinel/plugins/prod/actions/WriteToMap_2011.1r2.pdf