Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT REV 1 Manual page 98

92 D R
EFAULT ULES AND
Table B-6 Default Rules (continued)
Rule
Default-Rule-
Anomaly: Rate Analysis
Marked Events
Default-Rule-
Anomaly: Remote
Access from Foreign
Country
Default-Rule-
Authentication: Login
Failure to Disabled
Account
Default-Rule-
Authentication: Login
Failure to Expired
Account
Default-Rule -
Authentication: Login
Failures Across Multiple
Hosts
Default-Rule-
Authentication: Login
Failures Followed By
Success
Default-Rule-
Authentication: Login
Successful After Scan
Attempt
Default-Rule-
Authentication: Multiple
VoIP Login Failures
Default-Rule-
Authentication:
Repeated Login
Failures, Single Host
B B
UILDING LOCKS
Rule
Group Type
Anomaly Event
Anomaly Event
Authentication Event
Authentication Event
Authentication Event
Authentication Event
Authentication Event
Authentication Event
Authentication Event
STRM Log Management Users Guide
Enabled Description
False Reports a host emitting events at a rate greater
than normal. This may be normal, but in some
cases can be an early warning sign that the host
has changed behavior. We recommend that you
perform an event search and/or flow search to
determine if the host is exhibiting other
suspicious activity.
False Reports successful logins or access from an IP
address known to be in a country that does not
have remote access right. Before you enable
this rule, we recommend that you configure the
Default-BB-CategoryDefinition: Countries with
no Remote Access building block.
True Reports a host login message from a disabled
user account. If the user is no longer a member
of the organization, we recommend that you
investigate any other received authentication
messages from the same user.
True Reports a host login failure message from an
expired user account known. If the user is no
longer a member of the organization, we
recommend that you investigate any other
received authentication messages.
True Reports authentication failures on the same
source IP address more than three times, across
more than three destination IP addresses within
10 minutes.
True Reports multiple log in failures to a single host,
followed by a successful log in to the host.
True Reports on events detected by the system when
at least one of the configured rules is detected
with the same source IP address followed by
successful authentication with the same IP
address, within 30 minutes.
True Reports multiple log in failures to a VoIP PBX.
True Reports when a source IP address causes an
authentication failure event at least seven times
to a single destination within 5 minutes.