Correlation magic (aka - streamline operations via traffic pattern matches)
I have a scenario that I frequently face and that I am trying to automate using correlation rules:.
The scenario is more of less like this:
1. system access malicious URL, third-party IPS vendor product issues alarm saying "this is really bad".
2. I click on "look around 5 minutes, match via destination IP"
3. I find a third-party proxy log displaying if the access was successful or not
Please note that I have no way of guaranteeing the IPS alert will reach the McAfee SIEM platforms before the events generated by the logs from the proxy, therefore I am looking to do a match around the time event 1 took place.
Has anyone had success automating this type of correlation? How?
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.