A Quick Guide to Help You Understand and Create User Behavior Rules With SureLog SIEM-4

SureLog correlation library has many built-in user behavior rules. Also, there is a wizard to develop new rules or models. One example of those rules are triggered when a user logs into a system after business hours with the following conditions:

• At least 2 failed logins,
  * The failed logins are within a 3600 second (60 minute) timeframe
  * The failed logins are outside of business hours: by default, this means after 5 pm and before 9 am the following day in UTC time format
  * Device is not in the whitelist (device classes exempt from failed login alert)