Step 1: Update VPN Users To Locations list.

You must have 30 days of data available for this rule. The rule can be configured to start and stop 30 days later automatically by using “Start Time” and “Stop Time” parameters.

 

LOGTITAN Rule Model For A User VPNs To the Network from A New Location for The First Time Then Accesses A Shared File System

 

There are different types of lists, and each type can handle different levels of data complexity.

“Multi Value List” decorates another map, allowing it to have more than one value for a key. In the first step of the rule sequence, we will use “Multi Value List.”

 

LOGTITAN Rule Model For A User VPNs To the Network from A New Location for The First Time Then Accesses A Shared File System

 

 

Step 2: Create a list: First Time VPN location for the user

 

LOGTITAN Rule Model For A User VPNs To the Network from A New Location for The First Time Then Accesses A Shared File System

 

Step 3: Check for a user VPNs to the network from a new location for the first time, then accesses a shared file system.

We will check network share event IDs (5140,5143,5145,5144) and if the user is in the “First Time VPN location ” list then, notify.

 

 

LOGTITAN Rule Model For A User VPNs To the Network from A New Location for The First Time Then Accesses A Shared File System

As with correlation rules, a single rule evaluation usually doesn’t trigger an alert. Instead, each rule the system applies adds decision points to the result.