Showing results for 
Show  only  | Search instead for 
Did you mean: 

Custom Correlation Rule not triggering properly

Dear All,

We want to create a rule for our critical servers to identify if some port scanning or malicious activity is performed. I have run Nmap on one of our servers, that triggered the default rules in SIEM, use those rule signatures i created a custom correlation rule that checks if the same attacks are on our critical servers. The rule is triggering but with other rule signatures that i did not mention. Please see the screenshots attached


As shown above, the rules are in the green but when i try to see the triggered events, i can see other rules that have been triggered rather than the ones mentioned above. please see below screenshots.

rule 2.png

rule 3.png


Can any one explain why other rules are triggered rather than the ones mentioned in the rule.


3 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Custom Correlation Rule not triggering properly

Hi Fahad

I think that this question is probably best approached via a support ticket. We would need to know the sig-ids that are being triggered, nature of the events and look at the specifics of the rule you have written.

Can you open up a new case on that and when it is resolved a summary of the findings could be posted to the Community Portal.




Re: Custom Correlation Rule not triggering properly


Looking at your correlation rule you are using the GTI watchlist feeds. I checked on one of the IP addresses which is in fact listed in the Watchlist.

Possibly you can tweak your rule to use just the Malicious GTI feed rather than both the Suspicious and Malicious?

You can also try removing that particular rule as well to see if it removes alot of the erroneous triggers.

Just a few things i noticed at first pass.

Level 9
Report Inappropriate Content
Message 4 of 4

Re: Custom Correlation Rule not triggering properly


First, similar to what David Osborne said, you need to do something about your GTI. I suggest, for this correlation take it out. You will get way too many alerts from that single correlation alone. Use the GTI in it's own correlation rule (green rules are correlations).

Secondly, an easier way to get your expected output is to copy the default correlations you are using in your "OR" boolean and add your filter for the destination IP and Source IP, then just rename your correlation to state it's for your crit servers.

Hope that helps


You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community