I have a correlation rule that seems not to be working correctly. I am looking for IPs not in External_Net, but the rule is triggering the opposite. If I filter for events with source IP in External_Net it shows the rules also. Where is the bug? The External_Net is defined as !Home_Net. Where Home_Net=10.64.0.0/16. I have seen that the rules are not triggering correctly when variables are being used like this one. Is there a workaround? Is there a known bug or I am doing something wrong?
Solved! Go to Solution.
Is it possible that this matched the other condition?
OR and AND, operators are not exactly the same as you would think from a programming language. They are more commonly used for correlation (where you are looking for more than one event). Think of them as one event needing to match one of the conditions inside the OR. Conversely, if that OR was changed to an AND, you must have at minimum 2 packets for this rule to fire, and since there is no grouping, it would never fire.
Ok, if we are only concerned about the first condition in the or, can you remove the second one, do a policy rollout and give us a screenshot of the correlated events?
This way we are eliminating any other side effects.
And technically, you could make 2 different correlation rules, one for each condition, this way you know what one triggered the events. The net result would be the same, except you have a better idea as to what is going on. Since watchlists and variables can change over time, it might not always be obvious at a later date what rule items matched.
I have modified the rule as suggested and it still doesn't work.
I have filtered source IP by External_Net. It shows only the IPs from External_Net. But the rule should filter out the IPs from External_Net. It is contradictory! It makes no sense.
Still not working!!!
I took a closer look at your screenshot.
I can't see what correlated event you have selected, but I see them all with empty "Source User." To me this indicated that your bottom filter will always match, assuming "DC10DNSEff11" is in the watchlist "PS_DNS-EffIP_hosts." What version are you running? I know there was an issue with correlation details at some point in time.