I've been working on this for awhile now, researched the forums, read documentation etc etc. I've used several other SIEM's and unless I'm mistaken this SIEM is the most difficult to work with in terms of making correlated rules that actually work. Is there a tester I'm not aware of. I've had to make the bottom four rules because well........zero documentation exists on this. I based my initial correlated rules of the pre-existing ones. Still didn't work. I'm getting the information I need in the default viewer so I KNOW the data is there.
List of things done so far:
-ACE is Enabled
-All of my rules have been assigned a normalized ID range (in this case "malware")
-All of the policies have been rolled out
-I disabled the default group
-Inside the Rule Correlation Policy group is disallowed inheritance from the parent (default group) and all of them have been enabled/rolled out
What else can I do to make ONE of these templates work? Am I missing something easy? Very frustrated with this process! Any help would be greatly appreciated.
What I will do is:
1. In event view, do a filter on normalisation = malware, event subtype != block, and threat_handled != yes; and see if you can see any events in normal event view. If there is definitely events that fit those criteria,
2. Test your correlation rule by introducing one condition at a time, and see at which step it stops correlating
also check your grouping by option and other logical settings. Looks like #2 should work and it's the most clean one.
That's the thing though.
I've done this. It's the first thing I do. If I can find it in a view I should be able to write a correlated rule on this based on the criteria seen in the fields provided. Also for #2 I based my previous rules on pre-existing templates (that "clean look") and they simply do not fire.
This past weekend I had a rule for looking for events "Normalization: Malware, Subtype "Pass", Threat Handled: "No". Well one of those events came through and this rule didn't fire. It's extremely frustrating...
I just went into the viewer:
Event Subtype: ! Block
Threat Handled: ! Yes
There's one event there....
NONE of the four templates fired. What gives?
Just for the hell of it...
In terms of group by. Does the arrangement matter? Normalization before Event Sub-type for instance?
Also should I just do normalization? I'm going basic just to understand how it works. If and when I add "Threat_Handled" do I want to put that into group by as well?
Just put the threat_handled back into the logic after event type. Group by go with source IP.
Is the malware event coming from ePO or any other data source? If so, you can also bind it using device IN "data source", but not required.