Occasionally you may want to see alarms raised whenever a certain event occurs in your AlienVault USM Appliancesystem. This topic describes how to raise alarm on an SSH login failure event.
Step 1: Go to Configuration > Threat Intelligence > Directives and select New Directive.
Step 2: Name the directive, select relevant taxonomy values and select a priority for the directive. For example:
Step 3: Next, you need to name the rule. In this example and as we wish to alarm on a failed SSH login attempt, the rule was named SSH Login Failure:
Step 4: Next, you need to select the particular event type plugin, in this case SSH was chosen using the search box to find the plugin by name:
Step 5: Now we need to select the particular event sub-types that we want to trigger the alarm.
In this case we only require the alarm to trigger on a failed SSH password so SSHd: Failed password was selected.
Step 6: The next screen allows for specification of source and destination IP Addresses, networks, Ports etc.
In this case we were not concerned with these details so they were left blank which implied any source and any destination.
Step 7: Next, we set a reliability value that will be used in the calculation of the overall risk so that an alarm can be triggered. We chose 5 so that the calculated risk (based on the formula shown in the screen shot) will be 1 given a priority of 3 (see step 2) and default asset value of 2.
Step 8: You will have the option to define further conditions such as Protocol, Sensor etc by clicking "NEXT".
This was not required in our case so we select Finish instead.
Step 9: Once completed the new directive can be reviewed and edited as required:
Step 10: Finally, to test the new directive triggers successfully we must perform a failed SSH Login. Then we can check the alarm by going to Analysis > Alarms and filtering for the name of the alarm we created. In this example, it is Failed Login Attempt:
This gives us the expected result as an alarm was generated successfully from a failed SSH Login attempt.
See Part 2 of this article Raising Alarms on SSH Log-in Failure Events - Part 2.