Showing results for 
Search instead for 
Did you mean: 

Correlation Rule Question


I've been working on this for awhile now, researched the forums, read documentation etc etc. I've used several other SIEM's and unless I'm mistaken this SIEM is the most difficult to work with in terms of making correlated rules that actually work. Is there a tester I'm not aware of. I've had to make the bottom four rules because documentation exists on this. I based my initial correlated rules of the pre-existing ones. Still didn't work. I'm getting the information I need in the default viewer so I KNOW the data is there.

List of things done so far:

-ACE is Enabled

-All of my rules have been assigned a normalized ID range (in this case "malware")

-All of the policies have been rolled out

-I disabled the default group

-Inside the Rule Correlation Policy group is disallowed inheritance from the parent (default group) and all of them have been enabled/rolled out

What else can I do to make ONE of these templates work? Am I missing something easy? Very frustrated with this process! Any help would be greatly appreciated.



test rule 1.png


test rule 2.png


test rule 3.png


test rule 4.png

47 Replies
sssyyy Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 48

Re: Correlation Rule Question

What I will do is:

1. In event view, do a filter on normalisation = malware, event subtype != block, and threat_handled != yes; and see if you can see any events in normal event view. If there is definitely events that fit those criteria,

2. Test your correlation rule by introducing one condition at a time, and see at which step it stops correlating

also check your grouping by option and other logical settings. Looks like #2 should work and it's the most clean one.

Re: Correlation Rule Question

That's the thing though.

I've done this. It's the first thing I do. If I can find it in a view I should be able to write a correlated rule on this based on the criteria seen in the fields provided. Also for #2 I based my previous rules on pre-existing templates (that "clean look") and they simply do not fire.

This past weekend I had a rule for looking for events "Normalization: Malware, Subtype "Pass", Threat Handled: "No". Well one of those events came through and this rule didn't fire. It's extremely frustrating...

Re: Correlation Rule Question

Regarding the "grouping by" option and other logical settings....those are blank. Should I have something in them?



Re: Correlation Rule Question

I just went into the viewer:

Normalization: Malware

Event Subtype: ! Block

Threat Handled: ! Yes

There's one event there....

NONE of the four templates fired. What gives?

Re: Correlation Rule Question

I think the issue is the "group by". I should set the rule for "Normalization Rule".

Re: Correlation Rule Question

Just for the hell of it...

In terms of group by. Does the arrangement matter? Normalization before Event Sub-type for instance?

Also should I just do normalization? I'm going basic just to understand how it works. If and when I add "Threat_Handled" do I want to put that into group by as well?



rule 5.png

sssyyy Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 8 of 48

Re: Correlation Rule Question

Just put the threat_handled back into the logic after event type. Group by go with source IP.

Is the malware event coming from ePO or any other data source? If so, you can also bind it using device IN "data source", but not required.

Re: Correlation Rule Question

The malware events are coming from the ACE and EPO.

Why source IP?

I'm going to add back in Threat Handled

sssyyy Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 10 of 48

Re: Correlation Rule Question

For Group By use source IP.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community