cancel
Showing results for 
Search instead for 
Did you mean: 
hegemon76
Level 9

Correlation Rule Question

Hello,

I've been working on this for awhile now, researched the forums, read documentation etc etc. I've used several other SIEM's and unless I'm mistaken this SIEM is the most difficult to work with in terms of making correlated rules that actually work. Is there a tester I'm not aware of. I've had to make the bottom four rules because well........zero documentation exists on this. I based my initial correlated rules of the pre-existing ones. Still didn't work. I'm getting the information I need in the default viewer so I KNOW the data is there.

List of things done so far:

-ACE is Enabled

-All of my rules have been assigned a normalized ID range (in this case "malware")

-All of the policies have been rolled out

-I disabled the default group

-Inside the Rule Correlation Policy group is disallowed inheritance from the parent (default group) and all of them have been enabled/rolled out

What else can I do to make ONE of these templates work? Am I missing something easy? Very frustrated with this process! Any help would be greatly appreciated.

TB

1.

test rule 1.png

2.

test rule 2.png

3.

test rule 3.png

4.

test rule 4.png

0 Kudos
47 Replies
sssyyy
Level 12

Re: Correlation Rule Question

What I will do is:

1. In event view, do a filter on normalisation = malware, event subtype != block, and threat_handled != yes; and see if you can see any events in normal event view. If there is definitely events that fit those criteria,

2. Test your correlation rule by introducing one condition at a time, and see at which step it stops correlating

also check your grouping by option and other logical settings. Looks like #2 should work and it's the most clean one.

0 Kudos
hegemon76
Level 9

Re: Correlation Rule Question

That's the thing though.

I've done this. It's the first thing I do. If I can find it in a view I should be able to write a correlated rule on this based on the criteria seen in the fields provided. Also for #2 I based my previous rules on pre-existing templates (that "clean look") and they simply do not fire.

This past weekend I had a rule for looking for events "Normalization: Malware, Subtype "Pass", Threat Handled: "No". Well one of those events came through and this rule didn't fire. It's extremely frustrating...

0 Kudos
hegemon76
Level 9

Re: Correlation Rule Question

Regarding the "grouping by" option and other logical settings....those are blank. Should I have something in them?

Thanks

TB

0 Kudos
hegemon76
Level 9

Re: Correlation Rule Question

I just went into the viewer:

Normalization: Malware

Event Subtype: ! Block

Threat Handled: ! Yes

There's one event there....

NONE of the four templates fired. What gives?

0 Kudos
hegemon76
Level 9

Re: Correlation Rule Question

I think the issue is the "group by". I should set the rule for "Normalization Rule".

0 Kudos
hegemon76
Level 9

Re: Correlation Rule Question

Just for the hell of it...

In terms of group by. Does the arrangement matter? Normalization before Event Sub-type for instance?

Also should I just do normalization? I'm going basic just to understand how it works. If and when I add "Threat_Handled" do I want to put that into group by as well?

Thanks

TB

rule 5.png

0 Kudos
sssyyy
Level 12

Re: Correlation Rule Question

Just put the threat_handled back into the logic after event type. Group by go with source IP.

Is the malware event coming from ePO or any other data source? If so, you can also bind it using device IN "data source", but not required.

0 Kudos
hegemon76
Level 9

Re: Correlation Rule Question

The malware events are coming from the ACE and EPO.

Why source IP?

I'm going to add back in Threat Handled

0 Kudos
sssyyy
Level 12

Re: Correlation Rule Question

For Group By use source IP.

0 Kudos