Tutorial: Create a Policy to Send Emails for Account Lockout Events

Applies to Product: USM Appliance™ LevelBlue OSSIM®

You can also use the send an email policy for things such as account lockout events. This is not only helpful for security events, but also for instances such as when you may want to have IT notified of user-related events.

To create a directive for specific user account lockout events

  1. Go to Configuration > Threat Intelligence > Directives > New Directives

  2. In the New Directive window, fill out the fields as follows:
    • Name for the Directive — User Lockout Notice
    • Intent — Environmental Awareness
    • Strategy — Bruteforce Authentication
    • Method — Attack
    • Priority — 3

  3. Click Next

  4. Name the rule and click Next.

  5. Scroll down or use the search at the bottom to find Directive_Alert and click on it to select it.

  6. In the Event Sub-Types Plugin Signatures window, search for "Lockout" or "32110" to find the 32110 directive event: AV Policy, Account Lockout signature.

  7. Click the plus (+) icon to add it to the left column and click Next.

  8. In the Network window, either select your desired networks, if any, and click Next.

  9. Assign a Reliability of 5 and click Next.

  10. Click Finish to save the new directive.

  11. Click Restart Server on the Directives page to load the newly added directive.

To create the DataSource Group for lockout events

  1. Go to Configuration > Threat Intelligence > Data Source.

  2. Click Data Source Groups, and then click Add New Group.

  3. Give the group a name, such as "Account Lockout Group" and give it a description.

  4. Click Add By Data Source, search "1505" and click the 1505 directive_alert data source to add it to the group.

  5. Click the pencil icon by the newly added 1505 directive_alert data source.

  6. Search for the recently created lockout directive and click the plus (+) sign to add it to the left column, then click Submit Selection.

  7. Click Update to save your changes.

To create the policy

  1. Go to Configuration > Threat Intelligence > Policy.
  2. Scroll down to the Policies for events generated in server section and click New.
  3. Give the new policy a name.
  4. Scroll down to Policy Conditions and select the account lockout directive you created for the Event.
  5. Scroll down to Policy Consequences and click Insert New Action.
  6. Fill out the action name, context, and description fields.
  7. For Type, select Send an Email Message.
  8. Fill out the From, To, and Message fields.
  9. Click Save.
  10. Click the plus (+) sign on the new action to add it to the policy.
  11. Click the Update Policy button to save your changes and exit the policy modify page.
  12. Click the Reload Policies button on the main policies page to refresh and display the changes.
  13. Move the policy to a desired position on the list. See Policy Order and Grouping for details.

AlienVault OSSIM Limitations: USM Appliance includes more robust policies built into the environment, but you are allowed to customize and build your own rules based on your needs in LevelBlue OSSIM.