Showing results for 
Search instead for 
Did you mean: 

Correlative rule based off Correlative components - Group not working


I am having a bit of a problem regarding a correlation rule I have created - Basically a created a correlation component which basically triggers whenever a correlation rule regarding Malware happens and another component which triggers when a correlative rule regarding access breach happens.

I am trying to determine a strong case of severity by determining a Malware event happening which is followed by an access event. (As seen in the picture below)

And as you can see, I decided I want it to be group by Source IP.

When ever this rule triggers, the grouping doesn't work correctly meaning I get one Malware event and one Access event but on two different IP Addresses. 

I am wondering if this is caused by the lack of ability from the ACE engine to determine the underlying ip address of an event happening inside of a correlative component and if so then what are correaltive components even good for?

Any help on this subject will be greatly appriciated.







Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.