cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Alessio_DM
Level 8
Report Inappropriate Content
Message 1 of 7
‎06-10-2020 11:17 AM

Alarm for CVE 2019-0708

Jump to solution

Hi all, 

I am trying to create an alarm that  trigger whenever suspicious events occur towards the RDP port (3389)

The problem is the following:

for other customers we use Qradar, and the rule, in addition to destination port 3389, also includes:
same source
same destination
7 events
within 10 minutes

I can't understand how I can put these last rules into McAfee. I can't find the way, I tried with the correlation rules, but it doesn't work. Do you think there is a possible method to solve my problem?

Thanks in advance

0 Kudos
Reply
1 Solution

Accepted Solutions
lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7
‎06-12-2020 03:42 AM

Re: Alarm for CVE 2019-0708

Jump to solution

This can definitely be done through a correlation rule.  In the correlation rule configuration group by source ip, destination ip to ensure the events all have the same source and destination.

In the filters add the destination port (3389), the signature IDs or normalisation IDs you expect it to match and any other filters as needed.  In the properties of the logical element (for a single set of events any will do - if you are combining multiple events use the appropriate one) you can set the threshold and time window (7 events, 10 minutes).

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

Reply
6 Replies
lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7
‎06-12-2020 03:42 AM

Re: Alarm for CVE 2019-0708

Jump to solution

This can definitely be done through a correlation rule.  In the correlation rule configuration group by source ip, destination ip to ensure the events all have the same source and destination.

In the filters add the destination port (3389), the signature IDs or normalisation IDs you expect it to match and any other filters as needed.  In the properties of the logical element (for a single set of events any will do - if you are combining multiple events use the appropriate one) you can set the threshold and time window (7 events, 10 minutes).

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

Reply
Alessio_DM
Level 8
Report Inappropriate Content
Message 3 of 7
‎06-13-2020 10:00 AM

Re: Alarm for CVE 2019-0708

Jump to solution

Thank you so much for your help!

 

Have a good day 😄

0 Kudos
Reply
Alessio_DM
Level 8
Report Inappropriate Content
Message 4 of 7
‎06-14-2020 06:21 AM

Re: Alarm for CVE 2019-0708

Jump to solution
Hi, thank you for the help. The solution that you have provided seems to work fine but i see that in the alarm the events are grouped only by source IP. So the alarm trigger even if the destination IP are different. In the correlation rule i set group by: Destination IP, Source IP. Am i missing something??

Thank you in advance
0 Kudos
Reply
lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 7
‎06-15-2020 12:15 AM

Re: Alarm for CVE 2019-0708

Jump to solution

That sounds like it should work - if you're getting behaviour that does not match your expectations, please raise a Service Request with details of the configured rule and the events which triggered it - we will investigate and identify what is happening.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
0 Kudos
Reply
Alessio_DM
Level 8
Report Inappropriate Content
Message 6 of 7
‎06-15-2020 05:55 AM

Re: Alarm for CVE 2019-0708

Jump to solution

Thanks for your reply. Where can i open a Service request?

 

Thank you

0 Kudos
Reply
YuvrajSalaria
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 7
‎06-15-2020 07:16 AM

Re: Alarm for CVE 2019-0708

Jump to solution
You can submit a service request on our Support Portal (https://support.mcafee.com).
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC