Correlation handlers - do they work at all?

RobertC · ‎02-07-2024

Hello,

I spent last two weeks trying to understand how exactly correlation handlers work and am still confused. I used one of the default handlers named "Default-Brute-Force-Account-Login-Attack-FGT" which should trigger after 5 unsuccessful logins to FGT admin (if it's not followed by a successful login during next 5 mins) and to get more data I created my own which should do the same for SSL-VPN logins.

After those two weeks I can only say it works sometimes. There is a value in the Threshold duration field (in minutes) set to 1440, which implies 24 hours. Based on my findings, it the attack is really brute (fast) and the login attempts are stuffed into let's say 2 hours, it triggers nicely. However if it (attack) is slow pace, it doesn't work at all.

The second issue I encountered is that sometimes it triggers after one failed attempt only. Please see attached screenshots.

Do I read the logs wrong way or do you have similar experiences?

Thanks

Robert

Stephen_G · ‎02-11-2024

Hello RobertC,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Stephen - Fortinet Community Team

vaskyb3 · ‎02-11-2024

It is not clear why you zero in on using a test. I'm not one of those people who say never to test a hypothesis. But you don't seem to have one to test. You may look into association rule mining if you want to find associations between the SKUs.

Correlation handlers - do they work at all?

Nominate a Forum Post for Knowledge Article Creation