We want to create a rule for our critical servers to identify if some port scanning or malicious activity is performed. I have run Nmap on one of our servers, that triggered the default rules in SIEM, use those rule signatures i created a custom correlation rule that checks if the same attacks are on our critical servers. The rule is triggering but with other rule signatures that i did not mention. Please see the screenshots attached
As shown above, the rules are in the green but when i try to see the triggered events, i can see other rules that have been triggered rather than the ones mentioned above. please see below screenshots.
Can any one explain why other rules are triggered rather than the ones mentioned in the rule.
I think that this question is probably best approached via a support ticket. We would need to know the sig-ids that are being triggered, nature of the events and look at the specifics of the rule you have written.
Can you open up a new case on that and when it is resolved a summary of the findings could be posted to the Community Portal.
Looking at your correlation rule you are using the GTI watchlist feeds. I checked on one of the IP addresses which is in fact listed in the Watchlist.
Possibly you can tweak your rule to use just the Malicious GTI feed rather than both the Suspicious and Malicious?
You can also try removing that particular rule as well to see if it removes alot of the erroneous triggers.
Just a few things i noticed at first pass.
First, similar to what David Osborne said, you need to do something about your GTI. I suggest, for this correlation take it out. You will get way too many alerts from that single correlation alone. Use the GTI in it's own correlation rule (green rules are correlations).
Secondly, an easier way to get your expected output is to copy the default correlations you are using in your "OR" boolean and add your filter for the destination IP and Source IP, then just rename your correlation to state it's for your crit servers.
Hope that helps