cancel
Showing results for 
Search instead for 
Did you mean: 

Custom Correlation Rule not triggering properly

Dear All,

We want to create a rule for our critical servers to identify if some port scanning or malicious activity is performed. I have run Nmap on one of our servers, that triggered the default rules in SIEM, use those rule signatures i created a custom correlation rule that checks if the same attacks are on our critical servers. The rule is triggering but with other rule signatures that i did not mention. Please see the screenshots attached

1.png

As shown above, the rules are in the green but when i try to see the triggered events, i can see other rules that have been triggered rather than the ones mentioned above. please see below screenshots.

rule 2.png

rule 3.png

rule1.png

Can any one explain why other rules are triggered rather than the ones mentioned in the rule.

thanks

3 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Custom Correlation Rule not triggering properly

Hi Fahad

I think that this question is probably best approached via a support ticket. We would need to know the sig-ids that are being triggered, nature of the events and look at the specifics of the rule you have written.


Can you open up a new case on that and when it is resolved a summary of the findings could be posted to the Community Portal.

Thanks

Chris

Re: Custom Correlation Rule not triggering properly

Fahad,

Looking at your correlation rule you are using the GTI watchlist feeds. I checked on one of the IP addresses which is in fact listed in the Watchlist. 

http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=221.120.226.8

Possibly you can tweak your rule to use just the Malicious GTI feed rather than both the Suspicious and Malicious?

You can also try removing that particular rule as well to see if it removes alot of the erroneous triggers.

Just a few things i noticed at first pass.

dcobes
Level 9
Report Inappropriate Content
Message 4 of 4

Re: Custom Correlation Rule not triggering properly

Fahad,

First, similar to what David Osborne said, you need to do something about your GTI. I suggest, for this correlation take it out. You will get way too many alerts from that single correlation alone. Use the GTI in it's own correlation rule (green rules are correlations).

Secondly, an easier way to get your expected output is to copy the default correlations you are using in your "OR" boolean and add your filter for the destination IP and Source IP, then just rename your correlation to state it's for your crit servers.

Hope that helps

-d