cancel
Showing results for 
Search instead for 
Did you mean: 

Correlation That Matches Event Field Data

Jump to solution

I would like to incorporate logic into a correlation rule that takes a field in an event (External_SessionID) and matches it with another event. If the External_SessionIDs match, I want to take Field-x from event 1 and Field-y from event 2 and use them in the correlation rule with an event from another device type. Does anyone know of a way to do this? I have tried a couple of forum searches but haven't found anything like it yet.

1 Solution

Accepted Solutions

Re: Correlation That Matches Event Field Data

Jump to solution

For this correlation, and forgive me if I misunderstood the approach, I would suggest using "Group by: External_SessionID".

Then for the correlation logic use an AND gate with two filters:

            |  "Device ID #1", "Field-x"
   AND  |
            |   "Device ID #2", "Field-y"

7 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: Correlation That Matches Event Field Data

Jump to solution

Hi -

I call this "correlation workflow". There may be a more eloquent approach, but watchlists are where I make this happen. You can update a watchlist as an action for any event so:

Correlation rule 1 = Event1+Event2 = Field-x->watchlist1 Field-y->watchlist2 and then
Correlation rule 2 = watchlist1+watchlist2

Make sense?

Re: Correlation That Matches Event Field Data

Jump to solution

For this correlation, and forgive me if I misunderstood the approach, I would suggest using "Group by: External_SessionID".

Then for the correlation logic use an AND gate with two filters:

            |  "Device ID #1", "Field-x"
   AND  |
            |   "Device ID #2", "Field-y"

Re: Correlation That Matches Event Field Data

Jump to solution

Hi,

I tried to the same thing with my case. But seems to be different.

With the events retrieved from an Ironport (email) I try to get the events for a specific Filename.For this event I get only the MID.

I need also the Sender and Recipient information, which can be corelated with the MID, but they are on different events of the Ironport.

Can anyone help me on the methodology?

Thanks

Re: Correlation That Matches Event Field Data

Jump to solution

, I have actually had to go back to the drawing board on this. When I configured the rule to populate the watchlist with the field in the correlated event I needed, it was only adding that event to the correlation match about 20% of the time. My watchlist was not being consistently populated and I have yet to explain why that is the case.

I would be interested to hear if you find a solution to this, and plan to post back if I find anything.

Re: Correlation That Matches Event Field Data

Jump to solution

Thanks both of you for the suggestions. I will work through them and plan to let you know how it works out.

Re: Correlation That Matches Event Field Data

Jump to solution

Is there a way to specify which field populates the watchlist? In the events I am working with, both events have a field with the same name but different values. I only want to populate the watchlist with the value from one of the events, but right now it seems kind of random which one is chosen (I am assuming whichever is evaluated last). I am working with event order and sequencing to see if I can make it consistent.

Re: Correlation That Matches Event Field Data

Jump to solution

Scratch that last question - I was able to get the events parsed into different fields to remove the duplication. So far it looks like suggestion is working for what I needed. I will be using it to populate the initial watchlist and then a second correlation rule to check the event with another device (as suggested). Thanks for your help!