cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 1 of 6

Configure the main ACE to correlate just from different Receivers

Jump to solution

Hi Dear Community.

I need your help, in our environment we have a few Receivers.
each receiver is a different customer, and each receiver has a dedicated ACE.

on top of evrething i put one main ACE, i want that main ACE to correlate only if the events are from 2 and more receivers.

if the events are just from 1 receiver (customer) i dont need the main receiver to correalte, becuse i have it from the local ACE.

Do you have a creative way to accomplish that ?!

Thank You Very much.

Best regards

David.

2 Solutions

Accepted Solutions
Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

Re: Configure the main ACE to correlate just from different Receivers

Jump to solution

Start by creating your correlation rule to pick the event(s) of interest, but add to that rule that the event must happen on Receiver 1.  So your filter might be something like:

Signature ID IN XXXXX, Device ID In (Receiver 1)

 

Now Drag the Set down, it will default to 1 of 1.

 

Drag in another filter and setup the same rule, but this time:

Signature ID IN XXXXX, Device ID in (Receiver 2)

 

Continue until you have a rule for each receiver.  Now set the condition of the SET to 2 of (N) where N is the number of receivers you have.

 

Hope that makes sense.

 

 

 

View solution in original post

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 6 of 6

Re: Configure the main ACE to correlate just from different Receivers

Jump to solution

Hey David, 

If each customer has it's own receiver, there's a little trick you can do to offload a lot of the data transit and correlate events significantly faster. If you go to your receiver's Data Sources editor, you can acctually add one of these fancy little guys. You do lose the ability to create event filters, but it can be set to correlate locally. (Which is often all the filters are used for)

Screen Shot 2019-02-05 at 2.56.53 AM.png

Then you can build a fancy derrivate rule, on your primary ACE, that looks for Correlated events of a specific type, or you could just remove that component rule and just use grouping on your primary ace. You can also just do this with the Correlation Managers/Engines on your primary, but it might be a little extra work maintaining all of the required filters on them.

Screen Shot 2019-02-05 at 3.04.43 AM.png

Brent

Brent

View solution in original post

5 Replies

Re: Configure the main ACE to correlate just from different Receivers

Jump to solution

You can add multiple correlation engines to a single ACE. Similar to adding a datasouce to a receiver. Each child on the ace can be configured to accept logs from devices in the filter config. 

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 3 of 6

Re: Configure the main ACE to correlate just from different Receivers

Jump to solution

Hi Dzielnsky.

I'm Aware of this option and i configured my environment so.

The problem is that i have a main ACE on top of all the little ACE's (i mean - without filtering it on a specific Receiver,)

And i want this ACE to correlate only when the events in the correlation rule are from 2 different Receivers.

For example :

Event number 1 - from receiver number 1

&

Event number 2 - from receiver number 2

Then i want it to trigger.

But if Both of the events are from 1 receiver - Not to trigger

(because the local ACE of that receiver will trigger already.)

 

Thank you 

Best regards.

David.

Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

Re: Configure the main ACE to correlate just from different Receivers

Jump to solution

Start by creating your correlation rule to pick the event(s) of interest, but add to that rule that the event must happen on Receiver 1.  So your filter might be something like:

Signature ID IN XXXXX, Device ID In (Receiver 1)

 

Now Drag the Set down, it will default to 1 of 1.

 

Drag in another filter and setup the same rule, but this time:

Signature ID IN XXXXX, Device ID in (Receiver 2)

 

Continue until you have a rule for each receiver.  Now set the condition of the SET to 2 of (N) where N is the number of receivers you have.

 

Hope that makes sense.

 

 

 

View solution in original post

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 5 of 6

Re: Configure the main ACE to correlate just from different Receivers

Jump to solution

it seems like a interesting solution

It's very creative

Thank you.

I will accept it as a solution, because i don't think i will i get a better answer

Thank's Again!

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 6 of 6

Re: Configure the main ACE to correlate just from different Receivers

Jump to solution

Hey David, 

If each customer has it's own receiver, there's a little trick you can do to offload a lot of the data transit and correlate events significantly faster. If you go to your receiver's Data Sources editor, you can acctually add one of these fancy little guys. You do lose the ability to create event filters, but it can be set to correlate locally. (Which is often all the filters are used for)

Screen Shot 2019-02-05 at 2.56.53 AM.png

Then you can build a fancy derrivate rule, on your primary ACE, that looks for Correlated events of a specific type, or you could just remove that component rule and just use grouping on your primary ace. You can also just do this with the Correlation Managers/Engines on your primary, but it might be a little extra work maintaining all of the required filters on them.

Screen Shot 2019-02-05 at 3.04.43 AM.png

Brent

Brent

View solution in original post

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community