Correlative rule based off Correlative components - Group not working
I am having a bit of a problem regarding a correlation rule I have created - Basically a created a correlation component which basically triggers whenever a correlation rule regarding Malware happens and another component which triggers when a correlative rule regarding access breach happens.
I am trying to determine a strong case of severity by determining a Malware event happening which is followed by an access event. (As seen in the picture below)
And as you can see, I decided I want it to be group by Source IP.
When ever this rule triggers, the grouping doesn't work correctly meaning I get one Malware event and one Access event but on two different IP Addresses.
I am wondering if this is caused by the lack of ability from the ACE engine to determine the underlying ip address of an event happening inside of a correlative component and if so then what are correaltive components even good for?
Any help on this subject will be greatly appriciated.
So 5 rules total? This is not what the intention of the componets was. You likely should build your most basic levels (lowest level) as componets, then encoproate them into higher level correclation rules, this will also aid in managment of other rules as you will only need to make changes to the base componets and all of the rules they are used in will be updated as well.