cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Correlative rule based off Correlative components - Group not working

 

I am having a bit of a problem regarding a correlation rule I have created - Basically a created a correlation component which basically triggers whenever a correlation rule regarding Malware happens and another component which triggers when a correlative rule regarding access breach happens.

I am trying to determine a strong case of severity by determining a Malware event happening which is followed by an access event. (As seen in the picture below)

And as you can see, I decided I want it to be group by Source IP.

When ever this rule triggers, the grouping doesn't work correctly meaning I get one Malware event and one Access event but on two different IP Addresses. 

I am wondering if this is caused by the lack of ability from the ACE engine to determine the underlying ip address of an event happening inside of a correlative component and if so then what are correaltive components even good for?

Any help on this subject will be greatly appriciated.

 

IForums.PNG

 

 

 

 

1 Reply
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: Correlative rule based off Correlative components - Group not working

Should I understand that you have 3 layers of rules?

 

Top most composite rule <- correlation Component Malware <- correlation rule regarding Malware
                        <- correlation Component Breach  <- correlation rule regarding access breach

 

So 5 rules total? This is not what the intention of the componets was. You likely should build your most basic levels (lowest level) as componets, then encoproate them into higher level correclation rules, this will also aid in managment of other rules as you will only need to make changes to the base componets and all of the rules they are used in will be updated as well.

Brent
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator