cancel
Showing results for 
Search instead for 
Did you mean: 

Baseline Correlation Rules

How can one get a listing of the onboard correlation rules that are pre packaged with the SIEM tool ?  This has been asked previously but never answered ?

3 Replies
Reliable Contributor penoffd
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Baseline Correlation Rules

Have you just opened the Policy editor and looked at the list?

Between this and looking at the normalizations relative to a particular policy rule, that should give you a good idea of what it is and how it works.

On a related note, whenever I create a custom rule based off an existing rul, I keep the rule name but add a prefix that is unique to our custom rules,  It makes it easy to identify them in the dashboards.

Dan

McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Baseline Correlation Rules

No easy way, but here is a list:

ACL - Excessive Firewall/ACL Connections Accepted From Single Host

ACL - Excessive Firewall/ACL Connections Denied From Single Host

ACL - Firewall Accept after Recon Event on a Local Host

ACL or Firewall - Multiple ACL Events to Multiple Hosts that are Blocked

Attack - Anomalous Activity after Exploit on Local Host

Attack - Backdoor Event after Buffer-Overflow Activity

Attack - DNS Changer Activity - Event or Flow

Attack - Exploit Event after Recon Activity

Attack - Malware Activity on Local Host

Attack - Malware Sent from Internal Host

Attack - Network DoS Activity Detected

Attack - Possible Botnet DNS connection or Unauthorized DNS Configuration Changes

Attack - Possible Conficker Worm Activity

Attack - Possible DDoS Against Single Host - ICMP - Flow

Attack - Possible DDoS Against Single Host - Other - Flow

Attack - Possible DDoS Against Single Host - TCP - Flow

Attack - Possible DDoS Against Single Host - UDP - Flow

Attack - Possible Worm Activity Detected on Internal Network

Attack - Project Blitzkrieg - Communication with Known Command and Control Server - Events or Flows

Attack - Successful Host Login after Keylogging Activity - Host

Attack - Successful Host Login after Keylogging Activity - IP

Attack - Virus Activity Across Multiple Systems

Attack - Worm Activity Detected on Local Host

Component - Events from any Source

Component - Events to Any Destination

Component - Events to a Destination Network

Component - Horizontal Scan from a Single Host to Multiple Destinations

Component - Normalized Events from a Local System to Multiple Destinations

Component - Normalized Events from a Remote System to Multiple Local Destinations

Database - Attempted Database Configuration Change by a Remote Host

Database - Excessive Database Connections From a Single Source

Database - Multiple Database Access Attempt Failures

Database - Possible SQL Injection Activity - Low Severity Queries

Database - Possible SQL Injection Activity - Query Failure by Destination User

Database - Possible SQL Injection Activity - Query Failure by Source IP

Exploit - Remote Access Exploit

Firewall or ACL - Excessive Firewall and ACL Accepts From Single Host

GTI - DNS Communication with Malicious Host - Event or Flow

GTI - IRC Communication with Suspicious Host - Event or Flow

GTI - Remote Shell Communication with Suspicious Host - Event or Flow

GTI - Successful Login from Suspicious Host

GTI - Successful Login to Suspicious Host

Login - Brute Force Login Attempts against External SSH Service

Login - Brute Force Login Attempts against Local SSH Service

Login - Brute Force Login Attempts against RLOGIN Service

Login - Brute Force Login Attempts against RSH Service

Login - Brute Force Login Attempts against Telnet Service

Login - Brute Force Login Attempts from a Single Source

Login - Brute Force Login Attempts on a Local Host

Login - Brute Force Login Attempts on an Internal Host from a Single Source

Login - Multiple Failed Database Admin Login Attempts

Login - Multiple Failed Database Login Attempts by Destination User

Login - Multiple Failed FTP Login Attempts Detected to Local Host

Login - Multiple Failed Login Attempts

Login - Multiple Failed Login Attempts from Single Source to Multiple Hosts

Login - Multiple Failed Login Attempts on Local Host

Login - Multiple Failed VoIP Login Attempts

Login - Successful Database Login after Multiple Failed Attempts

Login - Successful Host Login after Brute Force Attempts from a Single Source

Login - Successful Local Host Login after Brute Force Attempts

Login - Successful Login after Brute Force Attempts against External SSH Service

Login - Successful Login after Brute Force Attempts against Local SSH Service

Login - Successful Login after Brute Force Attempts against RLOGIN Service

Login - Successful Login after Brute Force Attempts against RSH Service

Login - Successful Login after Brute Force Attempts against Telnet Service

Login - Successful Login after Brute Force Attempts from a Single Source

Login - Successful Login after DoS Activity

Login - Successful Login after Exploit Activity

Login - Successful Login after Malware Activity

Login - Successful Login after Multiple Failed Attempts

Login - Successful Login after Reconnaissance Activity

Login - Successful Login after Suspicious Activity

Login - Successful Login to Local Host after Multiple Failed Login Attempts

Login - Successful Login to Suspicious Host

Login - Successful VoIP Login after Multiple Failed Attempts

MEG/ATD - Email Deferred without Submitting File to ATD

MEG/ATD - Identical Malicious File Found in Multiple Emails

MEG/ATD - Malicious Email was Delivered

Malware - Botnet Activity

Malware - Traffic with a Passive DNS known Malware Domain

Malware - Traffic with a known Botnet Bot

Malware - Traffic with a known Botnet Control Channel

Malware - Traffic with a known Malware URL host

Policy - Application Policy Events on a Local Host

Policy - Chat Policy Events on Local Host

Policy - Clear Text Application Use Detected To or From a Remote Host - Flow

Policy - Clear Text Application Use Detected on Local Network - Flow

Policy - Database Policy Events on a Local Host

Policy - Gaming Policy Events on a Local Host

Policy - IP Access Policy Events on a Local Host

Policy - Mail Policy Events on a Local Host

Policy - Multiple P2P Connections from Internal Host

Policy - Off-hours Events from a Local Host

Policy - Off-hours Events from a Local IP

Policy - Off-hours Events from a Local Zone

Policy - Off-hours Events from a Non-Company Geolocation

Policy - Off-hours Events from a Suspicious Geolocation

Policy - Off-hours Events to a Local Host

Policy - Off-hours Events to a Local IP

Policy - Off-hours Events to a Local Zone

Policy - Off-hours Events to a Non-Company Geolocation - Events or Flows

Policy - P2P Policy Events on Local Host

Policy - Porn Policy Events on a Local Host

Policy - Remote Access Policy Events on a Local Host

Policy - Traffic Routed Through a Known Web Proxy Server

Policy - Traffic from TOR exit node

Policy - Traffic routed through an IP Based Proxy

Policy - VoIP Policy Events on a Local Host

Recon - Application Query Events from a Local Host

Recon - Application Query Events from a Remote Host

Recon - DNS Recon Events from a Local Host

Recon - DNS Recon Events from a Remote Host

Recon - Database Recon Events from a Local Host

Recon - Database Recon Events from a Remote Host

Recon - Detected Anomaly of TCP or UDP Packet Activity from Internal Host

Recon - ESM Firewall Detected Stealth Scan Activity

Recon - FTP Recon Events from a Local Host

Recon - FTP Recon Events from a Remote Host

Recon - Footprinting Activity Detected Targeting a Local Host

Recon - Horizontal FTP Scan - Events or Flows

Recon - Horizontal HTTP Scan - Events or Flows

Recon - Horizontal HTTPS Scan - Events or Flows

Recon - Horizontal NETBIOS Scan: Port 137 and 138

Recon - Horizontal NetBIOS Scan: Port 139 - Events and Flows

Recon - Horizontal RDP Scan - Events or Flows

Recon - Horizontal RPC Scan - Events or Flows

Recon - Horizontal SMB Scan - Events or Flows

Recon - Horizontal SMTP Scan - Events or Flows

Recon - Horizontal SNMP Scan - Events or Flows

Recon - Horizontal SSH Scan - Events or Flows

Recon - Horizontal Telnet Scan - Events or Flows

Recon - Host Port Scan Events from a Local Host

Recon - Host Port Scan Events from a Remote Host

Recon - Host Query Events from a Local Host

Recon - Host Query Events from a Remote Host

Recon - ICMP Recon Events from a Local Host

Recon - ICMP Recon Events from a Remote Host

Recon - IP Recon Events from a Local Host

Recon - IP Recon Events from a Remote Host

Recon - Mail Recon Events from a Local Host

Recon - Mail Recon Events from a Remote Host

Recon - Misc Form of Reconnaissance Events from a Local Host

Recon - Misc Form of Reconnaissance Events from a Remote Host

Recon - Multiple TCP Recon Events from a Local Host

Recon - Network Sweep Activity Detected from a Local Host to Multiple Hosts

Recon - Network Sweep Activity Detected from a Local Host to Multiple Ports

Recon - Network Sweep Activity Detected from a Remote Host to Multiple Local Hosts

Recon - Network Sweep Activity Detected from a Remote Host to Multiple Local Ports

Recon - Network Sweep Events from a Local Host

Recon - Network Sweep Events from a Remote Host

Recon - Other Protocol Recon Events from a Local Host

Recon - Other Protocol Recon Events from a Remote Host

Recon - Possible Probing by a Single Source IP

Recon - RPC Request Events from a Local Host

Recon - RPC Request Events from a Remote Host

Recon - Recon Events from a Local Host

Recon - Recon Events from a Remote Host

Recon - SNMP Recon Events from a Local Host

Recon - SNMP Recon Events from a Remote Host

Recon - SSH Recon Events from a Local Host

Recon - SSH Recon Events from a Remote Host

Recon - TCP Recon Events from a Remote Host

Recon - Telnet Recon Events from a Local Host

Recon - Telnet Recon Events from a Remote Host

Recon - UDP Recon Events from a Local Host

Recon - UDP Recon Events from a Remote Host

Recon - Web Recon Events from a Local Host

Recon - Web Recon Events from a Remote Host

Suspicious - DNS Communication with Malicious Host - Event or Flow

Suspicious - High Severity Events to a Suspicious Geolocation

Suspicious - Honeypot Activity Detected

Suspicious - IDS Evasion From Local Host

Suspicious - IDS Evasion From Remote Host

Suspicious - IRC Communication with Suspicious Host - Event or Flow

Suspicious - Internal Host Logon without Logoff

Suspicious - Internal IP Login without Logout

Suspicious - Local Host Communicating with External DNS Server - Flow

Suspicious - Multiple Errors in TCP/IP Headers from a Local System

Suspicious - Multiple Errors in TCP/IP Headers from a Remote Host

Suspicious - Multiple High Severity Events from an Internal Host to and External Host

Suspicious - Multiple High Severity Events from an Internal Host to another Internal Host

Suspicious - Multiple High Severity Events to an Internal Host

Suspicious - Multiple Suspicious Events from a Local Host

Suspicious - Multiple Suspicious Events from a Remote Host

Suspicious - Multiple System Malfunction Events on a Local Host

Suspicious - Potential Communication and Exfiltration - Events or Flows

Suspicious - Remote Shell Communication with Suspicious Host - Event or Flow

Suspicious - Successful Login from Suspicious Host

Suspicious - Successful Remote Login from Foreign Country

Suspicious - Unusual Destination Port Activity - Flow

Suspicious - Unusual System Admin Login Activity

Suspicious - Unusually High Data Transfer Rate from External Network to Internal Host - Flow

Suspicious - Unusually High Data Transfer Rate from Internal Host to External Network - Flow

Suspicious - User Logon from Multiple Geolocations

Suspicious - User Logon from Multiple Hosts

Suspicious - User Logon from Multiple IP Addresses

TIE - GTI Reputation Changed from Clean to Dirty

TIE - Increase in Malicious Files Found Across All Hosts

TIE - Malicious File (SHA-1) Found on Increasing Number of Hosts

TIE - Malicious Filename Found on Increasing Number of Hosts

TIE - Multiple Malicious Files Found on Single Host

TIE - TIE Reputation Changed from Clean to Dirty

Reliable Contributor penoffd
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: Baseline Correlation Rules

Great to see them listed.

You can look through the list and get an idea of what might be your biggest concerns, and enable those rules to start with.  If you don't subscribe to the McAfee Threat Feed service, the TIE and GTI entries won't work, so you can leave them disabled.

Some of these rules will generate a LOT of noise, especially those who in the Recon group, as every time you get port scanned they can go off.

My suggestion would be to pick a subset of rules that look like something you want to be aware of, maybe 5 at a time.  Enable those and watch for a day or two to see if you're getting the desired results.  Once you have an idea of what to expect from a particular set of rules, enable a few more.

As you do this, while it may take a while to get through them all, you'll gradually engage a decent rule set and become better acquainted with the results and alerts, and if the rule(s) are relevant to your environment.  You'll find some that are really noisy, which if still important to you, you can tune to better reflect the results you're looking for.

Unfortunately, there are no "boilerplate" sets of rules that work out of the box.  It's all predicated on what you are looking for and the environments you are monitoring.  Just do a little bit at a time, get familiar with the results, and go forward from there.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community