cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 1 of 5

Configure the main ACE to correlate just from different Receivers

Jump to solution

Hi Dear Community.

I need your help, in our environment we have a few Receivers.
each receiver is a different customer, and each receiver has a dedicated ACE.

on top of evrething i put one main ACE, i want that main ACE to correlate only if the events are from 2 and more receivers.

if the events are just from 1 receiver (customer) i dont need the main receiver to correalte, becuse i have it from the local ACE.

Do you have a creative way to accomplish that ?!

Thank You Very much.

Best regards

David.

1 Solution

Accepted Solutions
Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: Configure the main ACE to correlate just from different Receivers

Jump to solution

Start by creating your correlation rule to pick the event(s) of interest, but add to that rule that the event must happen on Receiver 1.  So your filter might be something like:

Signature ID IN XXXXX, Device ID In (Receiver 1)

 

Now Drag the Set down, it will default to 1 of 1.

 

Drag in another filter and setup the same rule, but this time:

Signature ID IN XXXXX, Device ID in (Receiver 2)

 

Continue until you have a rule for each receiver.  Now set the condition of the SET to 2 of (N) where N is the number of receivers you have.

 

Hope that makes sense.

 

 

 

4 Replies

Re: Configure the main ACE to correlate just from different Receivers

Jump to solution

You can add multiple correlation engines to a single ACE. Similar to adding a datasouce to a receiver. Each child on the ace can be configured to accept logs from devices in the filter config. 

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 3 of 5

Re: Configure the main ACE to correlate just from different Receivers

Jump to solution

Hi Dzielnsky.

I'm Aware of this option and i configured my environment so.

The problem is that i have a main ACE on top of all the little ACE's (i mean - without filtering it on a specific Receiver,)

And i want this ACE to correlate only when the events in the correlation rule are from 2 different Receivers.

For example :

Event number 1 - from receiver number 1

&

Event number 2 - from receiver number 2

Then i want it to trigger.

But if Both of the events are from 1 receiver - Not to trigger

(because the local ACE of that receiver will trigger already.)

 

Thank you 

Best regards.

David.

Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: Configure the main ACE to correlate just from different Receivers

Jump to solution

Start by creating your correlation rule to pick the event(s) of interest, but add to that rule that the event must happen on Receiver 1.  So your filter might be something like:

Signature ID IN XXXXX, Device ID In (Receiver 1)

 

Now Drag the Set down, it will default to 1 of 1.

 

Drag in another filter and setup the same rule, but this time:

Signature ID IN XXXXX, Device ID in (Receiver 2)

 

Continue until you have a rule for each receiver.  Now set the condition of the SET to 2 of (N) where N is the number of receivers you have.

 

Hope that makes sense.

 

 

 

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 5 of 5

Re: Configure the main ACE to correlate just from different Receivers

Jump to solution

it seems like a interesting solution

It's very creative

Thank you.

I will accept it as a solution, because i don't think i will i get a better answer

Thank's Again!

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.