Showing results for 
Search instead for 
Did you mean: 

Correlative rule based off Correlative components - Group not working


I am having a bit of a problem regarding a correlation rule I have created - Basically a created a correlation component which basically triggers whenever a correlation rule regarding Malware happens and another component which triggers when a correlative rule regarding access breach happens.

I am trying to determine a strong case of severity by determining a Malware event happening which is followed by an access event. (As seen in the picture below)

And as you can see, I decided I want it to be group by Source IP.

When ever this rule triggers, the grouping doesn't work correctly meaning I get one Malware event and one Access event but on two different IP Addresses. 

I am wondering if this is caused by the lack of ability from the ACE engine to determine the underlying ip address of an event happening inside of a correlative component and if so then what are correaltive components even good for?

Any help on this subject will be greatly appriciated.







1 Reply
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: Correlative rule based off Correlative components - Group not working

Should I understand that you have 3 layers of rules?


Top most composite rule <- correlation Component Malware <- correlation rule regarding Malware
                        <- correlation Component Breach  <- correlation rule regarding access breach


So 5 rules total? This is not what the intention of the componets was. You likely should build your most basic levels (lowest level) as componets, then encoproate them into higher level correclation rules, this will also aid in managment of other rules as you will only need to make changes to the base componets and all of the rules they are used in will be updated as well.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community