Consider a sample scenario for creating an event when a combination of conditions is fulfilled.
See“About rule conditions”on page 88.
If the following conditions are met, then an event must be triggered:
■ The user logs on to a Windows domain controller.
■ The user creates a new user.
■ The user modifies the privileges for the newly created user. (For example, the user gives the new user domain admin privileges.)
■ The user logs out.
Note:The event codes in the procedures are applicable to Microsoft Windows 2000. They may vary for other operating systems.
To create a new rule
1 On the console of the Information Manager client, click Rules.
2 In the left navigation pane, under the Correlation Rules folder, click User Rules.
3 On the Rules tab, click Create new filter or rule (+).
4 In the Input dialog box, type a name for the rule.
The rule name appears in red color under the User Rules folder.
5 In the description box, type the description for the rule. (For example, monitor for the events that occur when all the conditions that are specified are fulfilled.)
Once you create a new rule, you must configure the rule conditions that are required based on the scenario.
To configure the rule conditions
1 On the Conditions tab, in the Description window, type a description for the rule.
2 On the Conditions tab, on the Rule Type menu, click MultiCondition as it applies to the new rule.
3 In the Event Criteria area, click Add.
Add the conditions that are required to trigger the rule.
To add Condition 1
1 Select the left column of the new entry. From the drop-down list that appears, select the Events tab and click on the Host Intrusion Activity folder.
From the collapsible list that is displayed, select Intrusion Action ID.
2 Select the center column and select the = operator.
3 Select the right column, and then select Login. This value corresponds to the logon action.
4 If the events must occur more than once for an incident to be declared, specify the count of events in the Event Count list that is located in the Event Criteria area.
Add the other conditions that are required to trigger the rule.
To add Condition 2
1 Under Rule Type, click Add to add a second condition.
2 Select the left column of the new entry for Condition 2. From the drop-down list that appears, click the Common tab and select Symantec Event Code.
3 Select the center column and select the = operator.
4 Select the right column, and then select 722. This value corresponds to a new user account created.
5 If the events must occur more than once for an incident to be declared, in the Event Criteria area, specify the count of events in the Event Count list.
Add the other conditions that are required to trigger the rule.
To add Condition 3
1 Under Rule Type, click Add to add a third condition.
2 Select the left column of the new entry for Condition 3. From the drop-down list that appears, click the Common tab and select Vendor Signature.
user account being added to domain admin group for the third condition.
4 If the events must occur more than once for an incident to be declared, in the Event Criteria area, specify the count of events in the Event Count list.
Add the other conditions that are required to trigger the rule.
To add Condition 4
1 Under Rule Type, click Addto add a fourth condition.
2 Select the left column of the new entry for Condition 4. From the drop-down list that appears, click the Common tab and select Symantec Event Code.
3 Select the center column and select the = operator.
4 Select the right column, and then select 720. This value corresponds to the user account Log-off for the fourth condition.
5 In the Tracking Keys area, under the One-Many field, click Add and select Agent Host.
Under the Tracking field, click Add and select IP destination address.
6 If the events must occur more than once for an incident to be declared, in the Event Criteria area. specify the count of events in the Event Count list.
7 In Span, set the time span equal to 20 minutes.
8 In Table Size, specify the maximum number of events that the rule can track at any one time.
After you configure the rule conditions you must configure the rule actions.
To configure the rule actions
1 On the Actions tab, in the Conclusion Severity option, specify the severity that you want associated with the incident.
2 In the Conclusion Description area, type a description of the problem. This information appears to users who are assigned the incidents or the tickets that are based upon the incidents that this rule triggers.
(Optional) Click Add (+) to include the values of fields from the final event that triggered the conclusion.
3 In the Correlate By drop-down list, specify the method by which conclusions are grouped into incidents.
4 In the Resource Field menu, choose the desired event fields. Conclusions can be correlated together into the incidents that are based on the value of this resource field.
5 To specify that a user or team is automatically assigned to incidents that this rule creates, do the following:
■ Turn on Enable Auto Assign.
■ If you want to automatically assign incidents to the least busy member in a user group, check Assign to least busy user and then select the corresponding user group.
■ To assign the incident that is based upon the IP address of the affected target computer, in the left column, type the IP address or netmask.
■ In the User column, click the user to whom you want to assign the incidents.
■ In the User Group column, click the help desk team to which you want to assign the incidents.
After you specify the conditions and the actions, you can test the rule and then deploy it on the server.
To deploy the rule on the server
1 On the Testing tab, specify the location of a file containing event data, and then click Start Test.
2 When you are satisfied with the incidents and conclusions that this rule creates, turn on the rule in the Rules list.
3 On the top toolbar, click Deploy to the server.