cancel
Showing results for 
Search instead for 
Did you mean: 
gene33
Level 9
Report Inappropriate Content
Message 1 of 2

Correlation Rule Exceptions

Jump to solution

I would like to create exceptions to filter out false positives that fire for McAfee correlation  rules.  I see that I could edit the specific rule, but if I make changes to it I would need to save a new copy of that, then probably disable the McAfee version.  That doesn't seem right to me - is there another way to add exceptions to correlation rules?

Example:  Windows firewall allows itself to access objects (127.0.0.1).  This can create a ton of "Excessive Firewall/ACL Connections Accepted From Single Host" correlations.  The solution would be to filter out 127.0.0.1.  How can I do this without needing to create a new copy of the correlation and disabling the McAfee version?

Any help would be appreciated!

Thanks!

Gene

1 Solution

Accepted Solutions

Re: Correlation Rule Exceptions

Jump to solution

Hi,

By Default you can only modify the parameters for a built in correlation rule. If you want to fine tune it's always recommended to copy the default rule and add you conditions whilist disabling your default rule.

Regards,

Vinaya.

1 Reply

Re: Correlation Rule Exceptions

Jump to solution

Hi,

By Default you can only modify the parameters for a built in correlation rule. If you want to fine tune it's always recommended to copy the default rule and add you conditions whilist disabling your default rule.

Regards,

Vinaya.