cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Alarm for CVE 2019-0708

Jump to solution

Hi all, 

I am trying to create an alarm that  trigger whenever suspicious events occur towards the RDP port (3389)

The problem is the following:

for other customers we use Qradar, and the rule, in addition to destination port 3389, also includes:
same source
same destination
7 events
within 10 minutes

I can't understand how I can put these last rules into McAfee. I can't find the way, I tried with the correlation rules, but it doesn't work. Do you think there is a possible method to solve my problem?

Thanks in advance

1 Solution

Accepted Solutions
lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Alarm for CVE 2019-0708

Jump to solution

This can definitely be done through a correlation rule.  In the correlation rule configuration group by source ip, destination ip to ensure the events all have the same source and destination.

In the filters add the destination port (3389), the signature IDs or normalisation IDs you expect it to match and any other filters as needed.  In the properties of the logical element (for a single set of events any will do - if you are combining multiple events use the appropriate one) you can set the threshold and time window (7 events, 10 minutes).

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

6 Replies
lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Alarm for CVE 2019-0708

Jump to solution

This can definitely be done through a correlation rule.  In the correlation rule configuration group by source ip, destination ip to ensure the events all have the same source and destination.

In the filters add the destination port (3389), the signature IDs or normalisation IDs you expect it to match and any other filters as needed.  In the properties of the logical element (for a single set of events any will do - if you are combining multiple events use the appropriate one) you can set the threshold and time window (7 events, 10 minutes).

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

Re: Alarm for CVE 2019-0708

Jump to solution

Thank you so much for your help!

 

Have a good day 😄

Re: Alarm for CVE 2019-0708

Jump to solution
Hi, thank you for the help. The solution that you have provided seems to work fine but i see that in the alarm the events are grouped only by source IP. So the alarm trigger even if the destination IP are different. In the correlation rule i set group by: Destination IP, Source IP. Am i missing something??

Thank you in advance
lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: Alarm for CVE 2019-0708

Jump to solution

That sounds like it should work - if you're getting behaviour that does not match your expectations, please raise a Service Request with details of the configured rule and the events which triggered it - we will investigate and identify what is happening.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Alarm for CVE 2019-0708

Jump to solution

Thanks for your reply. Where can i open a Service request?

 

Thank you

YuvrajSalaria
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: Alarm for CVE 2019-0708

Jump to solution
You can submit a service request on our Support Portal (https://support.mcafee.com).
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community